Continued shortages of security personnel make companies more vulnerable to cyberattacks: report

Just as companies need to bolster their cyber defenses in the face of growing threats posed by Russia, companies are still plagued by an alarming shortage of cybersecurity talent, according to a new survey and recent news reports. This is an ongoing crisis that could create even more crises for many organizations.

fall short

the Philadelphia plaintiff reported that “About one million people work in cybersecurity in the United States, but there are nearly 600,000 vacancies, according to data from CyberSeek. Of those, 560,000 are in the private sector.

“Over the past 12 months, job postings have increased by 29%, more than double the growth rate between 2018 and 2019, according to Gartner TalentNeuron.

Struggling to find and keep talent

Results of a survey released today by cybersecurity firm Cobalt found that “virtually all security teams have had, are having, or will struggle to find and retain talent. In fact, 45% of security respondents said their department is currently experiencing an employee shortage. »

According to Cobalt The state of Pentesting, “…a whopping 90% of respondents who have experienced shortages or lost team members struggle to manage workload.”

Cobalt surveyed over 600 security practitioners and developers and gathered data from over 2,000 cyber penetration tests in 2021

Tangible impact

The cybersecurity workforce crisis, which Cobalt says is now in its fifth year, means businesses may be more vulnerable to cyberattacks.

According to the survey report, “Talent shortages are having a tangible impact on security programs. As colleagues leave and positions remain open, they struggle to maintain security standards, especially around compliance and secure development support. Vulnerabilities are more likely to go unnoticed and teams fear they may not be ready to respond to cyberattacks.

“When security professionals’ bandwidth is stretched, tasks slip through the cracks, leaving digital assets at risk and potentially exposing organizations to Colonial Pipeline-level attacks,” according to the report.

A growing gap

John DeSimone, president of cybersecurity, intelligence and services at Raytheon Intelligence & Space, observed that “…there is still a cyber skills gap that is only growing every year. There is an opportunity to be seized if organizations can properly leverage people seeking more growth and career change, especially in cyber.

“For example, organizations need to recruit and train people who may not exactly meet typical IT standards, ensuring they can do the job, while leveraging their unique skills and expertise that could still prove valuable to the company,” he said.

“They also need to further train cyber candidates who interview but just miss the mark of what the role requires to be successful — to help develop the skills they seek in such positions,” DeSimone noted.

More than a technical problem

Deborah Golden, who heads the US Cyber ​​and Strategic Risk department at Deloitte Risk & Financial Advisory, opined that “…cybersecurity is not just a ‘technology issue’. It cuts across the organizational ecosystem and highlights the need to think about talent a little differently. »

She said, “Organizations that seize the opportunity to expand cyber talent recruitment and retention practices can better engage naturally curious problem solvers to work with cutting-edge technologies and new applications…”

The diversity

“Cybersecurity teams should be as diverse as the cybersecurity challenges we face today – the more diverse the team, the greater the ability to solve the problem at hand,” Golden commented.

Perceptions

“Our adversaries are not one-dimensional and we cannot afford to be either. We need to help change perceptions of cyber talent because today’s reality is that cyber is at the center of the business universe and we need an infusion of skills and capabilities to meet the multitude of challenges caused by the changing threat landscape,” she concluded,

Wells Fargo: Using Additional Resources

Sunil Seshadri is Wells Fargo’s Chief Information Security Officer. He said the company “…supplements its existing recruiting staff with specific resources for cybersecurity roles and streamlines processes for hiring managers.

“The company is also expanding its base of cybersecurity professionals through existing partnerships with universities and various talent programs, as well as spotlighting its referral system to leverage employee networks,” according to Seshadri.

Accenture Security: A Different Approach

Ryan LaSalle, Accenture Security’s North America lead, noted, “People have traditionally entered the cybersecurity workforce with a background in computing and information technology, which reduces the talent pool. At Accenture, we have launched upskilling and reskilling initiatives to ensure our workforce is ready for higher-level jobs.

Look for different perspectives

LaSalle said, “It’s also important to look for talent in other relevant fields, as they often bring new perspectives and make great cybersecurity professionals. For example, people with degrees in anthropology, social sciences, and even criminology bring an understanding of human-centered behaviors, which is essential for analyzing cyberattacks.

Apprenticeship program

“We also have an apprenticeship program that recruits and trains early-career workers, many of whom don’t have a traditional four-year university degree. We have also helped high schools create programs to attract young people to the many opportunities in the professional cybersecurity community,” he noted.

Invest in entry-level talent

LaSalle believed that “companies can make this even more achievable by looking at what skills and qualifications are really, really required for the roles they need, how they can better access entry-level talent, and then invest in developing them. We’ve had great success with this and know other companies can do this too.

Advice for entrepreneurs

Brian Wilson is the chief information security officer of analytics software company SAS. He recommended that business leaders take the following steps to address the security personnel crisis.

Hire to fulfill multiple requirements

“When possible, recruit and hire for multiple jobs [requirements] right away, he advised.

“It can help stay ahead of attrition, with the added benefit of training two or more new employees at the same time. It’s an easy sell when you consider the difficulties of finding scarce talent and the time it takes for new team members to build relationships and get used to the way the business is run. .

Be flexible and creative

“If you can’t offer candidates a higher salary, for example, offer them [the] flexibility to work on their terms. As more companies force staff back into the office full-time, providing some work-from-home flexibility can be a big differentiator,” Wilson recommended.