Earlier this year, HolistiCyber’s CEO, Ran Shahor, shared his thoughts on the biggest cybersecurity threat. It’s not the Russians or Chinese; it isn’t even supply chain attacks. While those are serious threats that organizations need to prepare for, the biggest threat is the lack of certified, experienced cybersecurity professionals.
It is somewhat ironic. We often think of employees as the weakest link in cybersecurity. After all, they are the ones being conned by phishing attacks, opening suspicious emails, and exposing networks to attacks with weak passwords. It turns out, though, that we need more people involved in cybersecurity.
Today, there are about one million people employed in a cybersecurity role in the United States, and while reports vary, there are between 400,000-600,000 open positions. Globally, the numbers are even more staggering, with an estimated 3.5 million jobs that went unfilled in 2021. Harvard Business Review reported that the majority of CISOs around the world are worried about the cybersecurity skills gap, and 58% expect it to get worse.
At the corporate level, the numbers are truly a cause for concern. A 2020 research report from ISACA found that 62% of cybersecurity teams were understaffed, and 57% had open unfilled positions. Many of the positions that had been filled were by underqualified personnel, and team leaders say their staff can only handle the simplest of cybersecurity incidents.
Increased Pressure on Cyber Teams
United States Cyber Employees Burnt Out
The shortage of cybersecurity expertss has had a deleterious impact on the relationship between cyber team members and their employers, which can impact a company’s overall security posture.
ZDNet reported that the stress of understaffed teams means employees are overworked. Many are feeling burnt out, and some are moving to other companies as part of the Great Resignation.
This comes at a time when American companies are under attack. According to IBM’s Cost of a Data Breach Report 2021, the average cost of a data breach in the United States is over $9M, vastly higher than any other country in the world.
Help Wanted in the EU
The demand for cybersecurity talent has increased by 22% over the last year in much of Western Europe. In Poland, Germany, and Romania, that number jumps to over 30%. Europe’s shift to a digital-first economy coupled with legislation increasing security requirements has many European companies fighting for employees.
Clearly, companies and government agencies across the continent need to solve their hiring shortage and build out strong cyberteams capable of designing and implementing a security posture to defend their assets.
Rising Requirements in India
On April 28, 2022, the Indian Computer Emergency Response Team (CERT-In) published a directive requiring Indian enterprises, governments, and other entities to report any cyber incident within 6 hours of occurring.
This directive is seemingly intended to bring more transparency about attacks, but it will force Indian entities to upgrade their cybersecurity capabilities. These entities will need to quickly discern between true attacks and false positives, investigate attacks to understand their scope, gather all relevant data, and send it to CERT.
Indian companies have until June 27 to comply with the directive, which means that many are in a frenzy, upgrading capabilities and trying to onboard new employees. However, India’s News 18 reported that 75% of Indian companies are finding it difficult to hire cybersecurity experts due to skill shortages. As companies compete for qualified personnel, the shortage in that country will only become more acute.
Reducing the Shortage
All around the world, steps are being taken to help close the gap. Some initiatives stem from private organizations. Microsoft announced in March that it had expanded its cybersecurity skills campaign into 23 different countries. The company is attempting to not only build up qualified cyber-professionals but to increase the number of women and minorities in the field.
In the United States, Microsoft is working with community colleges to help fill 250,000 cybersecurity roles. In a blog post on the company’s site, Microsoft President Brad Smith wrote “Community colleges are the single greatest potential asset the U.S. has in expanding the cybersecurity workforce. They are one of the nation’s most remarkable and ubiquitous assets, and with some targeted assistance, they can move quickly to help address the cybersecurity workforce shortage.”
While colleges and universities develop focused cybersecurity curriculums, some companies are looking at upskilling and reskilling their existing employees. Offering training programs can be less expensive than hiring a new employee, and is useful in retaining employees looking for new challenges.
Overcoming Security Challenges Today
Unfortunately, threat actors aren’t waiting for cybersecurity specialists to be trained. They are constantly on the prowl, running reconnaissance missions to identify targets and find assets they can ransom, steal, or both.
Cybersecurity teams looking to protect their company’s crown jewels have several options. First, they can always entice new team members with better benefits, higher salaries, and enhanced working conditions. Although this will increase company expenses, it may be significantly less expensive than dealing with the aftermath of ransomware or a data breach.
Some companies choose to provide a high level of protection to their more important assets while exposing lesser assets. While this strategy may work, it can also lead to exploitations that start in a high-vulnerability area and spread into the better-protected regions of the network.
Businesses that are concerned about limiting risk frequently outsource their cybersecurity activities to a third party of managed professional services and consulting. In addition to reducing overhead expenses compared with hiring full-time staff, these teams, can proactively upgrade a company’s security posture, close existing gaps, and ensure stronger protection mechanisms for the company’s data and assets.
Through proactive measures, like penetration testing, attack simulations, and employee-driven activities, such as training and testing, experts can help close vulnerabilities and put a company in the best position to be more resilient to attacks and prevent catastrophic consequences.
Oftentimes, our consulting teams at HolistiCyber provide organizations with the recommended top priorities to act on, coinciding with calculated risks that we believe companies can take to really defend the most important assets, and handle the most dangerous cyber risks, (as opposed to defending many risks and assets all at once). Meaning, deliberately ignoring certain risks while focusing on remediating others. We do this not only because it is a lean and efficient way to operate, saving man-hours, etc., but because we believe that it is more secure. Besides, it is impossible to hermetically seal off threats, and when companies try to protect everything, they wind up protecting nothing.
In this way, we have helped many companies to bridge not only security gaps but to bridge the skills and experience gaps that are so prevalent in enterprises today.
Regardless of the size of the team, we believe that security leaders should turn to threat prioritization and cross-product integration to optimize the use of their limited staff and take advantage of automation and orchestration solutions that best suit their organization’s needs and budget.
If your company is shorthanded, outsourcing cybersecurity to experts who know how to eliminate blind spots in your network and keep you safe simply makes sense.
Looking to supplement your team’s cybersecurity capabilities? Get in touch today!