*This blog has been updated as of February 21, 2021, with relevant content.
As a seasoned cyber security professional who has worked at many companies of various sizes and different industries over the years, I have noticed a worrying trend. There is a growing deficit of skilled cyber security professionals to keep enterprises compliant and secure in the face of growing threats. As a result, organizations kept being breached and compromised. In their desperation, organizations scramble to hire staff as quickly as possible, often compromising on quality. But when employees don’t have enough experience or even the right skills to perform tasks nor well-practiced incident response plans and practices, the organization remains vulnerable to attack and susceptible to fines and other punitive measures in the face of rising compliance standards with teeth. They need cybersecurity professionals to help them out. But where to find them? Especially when there is a global shortage of security professionals that has reached 3.5 million unfilled positions as of 2021, according to the New York Times, Cybersecurity Ventures project1. The problem is compounded, according to ISACA, a non-profit information security advocacy group whose in-depth study of the problem shows that most employers struggle not only in hiring talented cyber-professionals but developing them and retaining them. ISACA illustrates the growing crisis very clearly in its infographic below.
When looking for security personnel, organizations normally start by looking for suitable candidates themselves or they enlist the services of a recruitment company. In many cases, the required skill-set and experience requested means with this shortage that most of these jobs sit for six months or more unfilled.
So what to do? Here are a few strategies that can help:
- Look for professionals with other skill sets than the traditional tech background. By changing two key hiring requirements (tech background and previous experience in cybersecurity), a whole new talent pool becomes available. As the (ISC)2 report points out, 30% of cybersecurity professionals worldwide launched their cybersecurity career after holding a non-technical role such as in business, accounting, or marketing. Some organizations, such as IBM, opt for hiring and training professionals hailing from retail, education, entertainment, and law. This approach demands a lot from enterprises. It means you must view the development of your cybersecurity professionals at both an individual and team level as paramount. You must invest in time and training to develop their skills. This on-the-job training can be compounded by enterprise building and practicing incident response plans. This allows teams to practice for when a breach occurs and will mean they will perform more effectively and quickly when it does.
- Incorporate the use of a managed security service provider (MSSP). Partnering with an external cybersecurity company is a win-win, especially in light of limited IT resources and staff. It allows organizations to use automated tools in lieu of cybersecurity staff. It appears, regardless of size, that partnering with an MSSP is essential for businesses of all sizes. Large enterprises are looking for advanced managed security services, ranging from threat management, vulnerability management, and anti-malware, to scanning and testing. They want to have the most sophisticated SECaaS solutions in place to boost their posture against the constant barrage of cyberattacks. Distributed organizations, such as hotel and restaurant chains, are prime targets. To protect each of their locations, they turn to advanced managed cybersecurity to protect their data, especially customer details and financial information. Small and medium-sized businesses (SMBs) such as law and accounting firms turn to managed security services since they have limited resources (both budget and HR wise) to protect themselves from cyberattacks while complying with the various regulations.
- Focus on cybersecurity solutions that can automate, and which allow lower skill set individuals not only to be effective using them but educate them as they do. This is especially important as cybersecurity jobs are resource intensive, especially in the face of growing threats and compliance demands. This practical learn-as-you-work methodology means your cyber professionals gain skills on the job. Cymulate Security as a Service-based platform is a prime example of a tool that can be effectively used by security professionals of every skill set and naturally and easily educate and increase skill sets with use. The platform is used to launch attack simulations on enterprise infrastructure with those assessments created by experts and constantly updated with the latest attacks and techniques. By using the platform, security practitioners increase their adversarial skills and knowledge, making them better defenders. With Cymulate, continuous security validation has never been easier to deploy and maintain. Your enterprise will be more secure and compliant, and your security professionals happier and better skilled.
Test the effectiveness of your security controls against possible cyber threats with a 14-day trial of Cymulate’s platform.
Don’t speculate, Cymulate