The fact that organizations are struggling to hire top talent for security roles is no secret; the problem is that the situation does not look like it will ease anytime soon. Harvard Business Review wrote about the cybersecurity talent shortage in 2017 stating that it was a problem that had been top of mind since 2015. And yet here we are in 2019 with recent research finding that 59% of companies are at moderate or extreme risk of cybersecurity attacks due to this shortfall.
While there are new initiatives, such as universities investing in undergraduate degrees, and federal retraining programs like the National Initiative for Cybersecurity Careers and Studies, which will increase the available talent, it’s not going to be enough, and it will take time to see the results.
For most organizations, the skills shortage means it’s time to get creative. What follows are several ideas to combat this problem, ranging from internal changes to technology-based tactics you can employ at your own organization.
1: Manage Your Network Complexity
Your cybersecurity skills needs are directly related to the size of your network -- the more complex and fragmented your network, the more work that must be done to protect your organization. As network complexity increases, the ability to provide visibility and control no matter what size your network becomes even more important.
Another approach to the cybersecurity skills gap is to examine areas where your own organization could simplify the workload and thus require fewer man-hours to complete. While reducing the number of vendors and platforms is typically not an option in large organizations, a few considerations that will simplify the management of your complex hybrid IT environment include:
- Centralize Network Security Policy Management: Managing security configurations across vendors and platforms, on-prem and hybrid cloud, from a single pane of glass will reduce efforts and better control risks.
- Provide Network Visibility: Understanding the topology of your network allows you to see the pathways a change should follow which means that change requests will become fulfilled more easily with a higher degree of accuracy.
- Document All Network Changes: When it comes time to proving compliance, if all network change requests are documented, searchable and readily available, that frees up your staff’s time for other critical functions.
Network complexity is not going away but with consistent centralized control and management of security policies across complex, hybrid networks your team can improve efficiency, provide faster response to business requests, and reduce the risk of cyberattacks and audit failures.
2: Automate Your Security Changes
Many organizations spend too much time manually processing routine and low-risk security tasks. These manual processes are especially prone to errors and misconfigurations which can lead to serious downtime, a failed audit, or worse yet, a breach. In some cases, essential procedures like decommissioning rules or servers do not take place because of bandwidth constraints, an oversight that can expose your network to cyberthreats.
The key to automating security changes is the ability to centralize and adhere to an organization’s security policy. Automating security policy management provides the guardrails that are needed to enforce a well-documented change process and increase your operational efficiency without adding additional staff. It also helps identify changes that are already implemented and eliminate resource-intensive mistakes and redos. Ultimately, this means gaining better control over security changes and reducing overall risk with the staff that you have in place.
3: Look Within Your Own Walls
We often look outside of our organizations for skilled workers to fill security roles, but there are gems hidden inside the enterprise. Kaspersky Lab research noted that 72% of employers don’t hire entry-level cybersecurity roles which means you need to find qualifications elsewhere.
For example, many organizations have technical professionals who understand IT operations, but may not have experience with security. These professionals often have the aptitude and interest to develop the necessary security skills and step into a new role. To retrain internal talent, you can offer on-site security workshops led by internal resources or a third party. If an employee can see a path to advance their career and take on new responsibilities in the security arena, they are more likely to engage.
Another tactic to consider is moving some security tasks into the broader IT group. In a recent post, Gartner fellow and research vice president Tom Scholtz states, “Many routine security functions can be performed as well by other IT or business functions.” He suggests that organizations identify functions or capabilities (such as user awareness communication) that can be handled elsewhere in the business or IT department. A caveat to watch out for is fragmentation of the roles and reporting. Scholtz added, “clear direction, strong governance and effective program management should be enough to keep this risk under control and help realize the benefits of a lean security organization.”
4: Capture the Attention of Women and Late Career Changers
It’s smart to take a look at populations of people that are traditionally underrepresented in cyber security roles, including women and those seeking to re-enter the workforce (such as people returning after family leave) or to change up their careers later in life. While these candidates may not be traditional, there is great potential here.
Just coming off International Women’s Day, we recognize that 50% of our population is grossly underrepresented in the technology sector in general, and in cybersecurity specifically. Current estimates by Cybersecurity Ventures predicts that women will represent more than 20 percent of the global cybersecurity workforce by the end of 2019 and while this is heading in the right direction, we still have a long way to go.
At Tufin we are proud that 38% of our R&D team and 34% of Q&A department are female. While it’s a good start, we acknowledge that continued efforts in this area can balance the deck further between men and women filling these roles. If you do not currently have initiatives at your own organization to recruit more women into security and tech roles, there are programs to use as a model such as the partnership of SHRM, and iRelauch, a Boston return-to-work services firm, that creates internships for women in engineering (with a 90% hire rate). By making it a priority, and with more programs like this one, women will have the proper training and confidence to pursue a career in cybersecurity.
In the category of return-to-work and career change professionals, many are highly qualified but might lack specific skills. As this post puts it, “This could mean a shift from hiring applicants with all the right skills, to hiring those that have the ability to grow into the role.” It may require a shift in thinking, but that shift will be well-rewarded.
Creativity is the Key to Alleviating the Talent Crunch
To wrap up, we point to ESG’s 2018-2019 annual global IT survey that found that the cybersecurity skills shortage has been increasing steadily, with 53% of organizations bemoaning a lack of necessary talent, up from 42% in 2015-2016. Globally, it’s expected that there will be 1.5 million unfilled cybersecurity positions by 2020. Clearly, we need to be more inventive in how we approach this problem.
Organizations must look for fresh ways to manage complexity and improve operational efficiency, which in turn will improve security. Security policy management and automation require a seat at the table to enable you to better meet the demands of the modern era without being derailed by the cybersecurity skills shortage.
To learn more about the challenges facing network and security operations and how automation can help you bridge the security talent gap, check out this infographic: Network and Security Operations’ Dreaded 4-Letter Word: MORE