Workforce Shortage Affecting Cybersecurity Posture
The shortage of IT security professionals is negatively affecting organizations as they struggle to keep assets safe in an era of rising threats and increasing IT complexity.
These were the results of global survey of 1,000 cybersecurity professionals conducted by Vanson Bourne and Trellix, which found 85% of survey respondents said they believed the workforce shortage is impacting their abilities to secure increasingly complex information systems and networks.
In addition, a large majority of respondents (91%) believe there needs to be wider efforts to grow the cybersecurity talent pool from diverse groups.
More than nine in 10 respondents (92%) said they believe greater mentorship, internships and apprenticeships would support participation of workers from diverse backgrounds into cybersecurity roles.
Kent Landfield, head of technology policy and standards at Trellix, added that of the greatest challenges for IT security teams these days is employee burnout.
“Businesses must develop and assure they understand there is a career path for cybersecurity,” he explained. “People want to grow and want to feel they have a productive and useful future in the organization.”
He added the survey again raises the specter that the cybersecurity talent gap may not be addressed without expanding workforce ranks beyond the traditional talent pool with the traditional resume and career path.
“We will not be able to expand the workforce unless we can tap into talent within currently underrepresented groups in cybersecurity, and adopt some non-traditional approaches to talent recruitment, training and development,” he said. “It needs to be understood too that not all need to have a four-year degree to be successful in the cybersecurity field.”
From Landfield’s perspective, organizations should be looking for creative ways to find those interested in cyber-related opportunities.
“The cybersecurity talent gap is an imperative not only for the cybersecurity field, but also the industry and national security postures that increasingly rely upon cyber as a security domain,” he said.
The Cybersecurity Skills Shortage
Ravi Pattabhi, vice president of cloud security at ColorTokens, a provider of autonomous zero-trust cybersecurity solutions, pointed out a significant shortage of skilled cybersecurity experts is widespread issue, not only in the United States, but globally.
“Some universities in the United States have started teaching students some of the basic cybersecurity skills such as vulnerability management and security hardening of systems,” he said. “In the meantime, cybersecurity is undergoing a major shift.”
He explained the industry is increasingly incorporating cybersecurity into the design stage and building it into product development, code integration and deployment through DevSecOps.
“This means that software developers likely need basic cybersecurity skills as well including the MITRE attack framework and using penetration testing tools,” he said.
He added companies are primarily looking for graduates who have some experience using basic security tools such as pentesting and scanning tools.
Familiarity With the Cloud
In addition, rapid global cloud adoption means it is especially important for fresh grads to have some level of familiarity with cloud and securing cloud infrastructure.
“Therefore, there is a great demand for grads with cloud experience in AWS, Azure and GCP, particularly developers,” he said. “Lastly, knowledge of some rapidly growing programming languages like Go and Rust are also a big plus.”
The survey found support for development of skills (85%) and the pursuit of certifications (80%) were selected as highly or extremely important factors for the industry to expand the workforce.
Mohit Tiwari, co-founder and CEO at Symmetry Systems, said the pandemic accelerated organizations’ digital transformation initiatives, so the ability to set up workloads in the cloud and get organizations through compliance and security challenges continues to be a highly in-demand skillset.
“Part of the reason is that the workloads organizations resisted moving to the cloud were highly regulated ones, and the forced move out of on-site data centers managed by IT staff is driving up demand for cloud-based compliance and security skills,” he said.
From his perspective, cloud-based security techniques will continue to be critical.
These include learning to work with cloud-native identity and access management (IAM), large scale log analysis and alerting techniques, NIST and similar compliance frameworks and, more broadly, learning to manage infrastructure through structured programs instead of shell scripts pieced together.
“As networks and application tiers become ephemeral, the most important persistent asset for any enterprise will likely be their own and their customers’ data,” he said. “Therefore, data security in the cloud will be a major theme going forward.”
He pointed out that cybersecurity education has traditionally focused on teaching encryption basics, memory errors and web application exploits and several network-layer (TLS, DNS, MAC) security concerns.
“This is a great start; however, making new encryption libraries or exploiting web applications is a very small fraction of security-related work in the industry,” he said.
Tiwari predicted that soon, workloads will very likely be deployed on the cloud, managed as code using CI/CD and runtime systems like Terraform and Kubernetes.
This means security engineers will look a lot like classic computer science/engineers—and will have a unique opportunity to build security functions into a service mesh.
“For example, to build domain-specific languages to author compact policies, compilers to translate these into cloud-IAM backends and runtime analysis and response to build resilience into a service mesh,” he said.
