IT Security Workforce Gap Widens
An ongoing skills gap in the information security space, with an estimated shortage of 3.4 million cybersecurity workers globally, is putting security professionals and organizations under greater pressure than ever before, according to research from (ICS)2.
The survey of 11,779 international practitioners and decision-makers revealed 70% felt their organization did not have enough cybersecurity staff to be effective.
More than half of employees at organizations with workforce shortages said they felt staff deficits put their organization at a “moderate” or “extreme” risk of cyberattack.
Because of staffing shortages, IT security professionals have experienced issues including a lack of time for assessment and oversight of processes and slow patching of critical systems.
The study also indicated it was not necessarily difficult to find qualified talent, but rather that insufficient training and promotion opportunities have been the most impactful factors fueling staffing shortages.
Dave Gerry, COO at Bugcrowd, a specialist in crowdsourced cybersecurity, explained that attracting strong candidates has always been a core part of any business.
“Finding senior talent, whether in cybersecurity or another function, requires a combination of attractive compensation, career growth, flexibility to work anywhere and a mission that employees want to support,” he said. By creating career growth opportunities and rallying behind a mission of helping customers and the broader digital community defend against cyberattacks, employees feel they have an opportunity to better themselves and the broader community.
“Bugcrowd has always taken the approach of finding talent from non-traditional and diverse backgrounds, providing them with the necessary training and enablement, paying them well with additional equity incentives and empowering them to do what needs to be done,” Gerry said. “This has allowed us to continue building a world-class team in a market that is highly competitive.”
He added that for years, the industry was led to believe there is a significant gap between the number of open jobs and qualified candidates to fill those jobs.
“While this is partially true, it doesn’t provide a true view into the current state of the market,” he explained.
From his perspective, employers need to take a more active approach to recruitment from non-traditional backgrounds, which, in turn, significantly expands the candidate pool from just those with formal degrees to individuals, who, with the right training, have incredibly high potential.
“Additionally, this provides the opportunity for folks from diverse backgrounds who otherwise wouldn’t be able to receive formal training, to break into the cybersecurity industry—providing income, career and wealth-creation opportunities that they otherwise may not have access to,” Gerry said.
Darren Guccione, CEO and co-founder at Keeper Security, a provider of zero-trust and zero-knowledge cybersecurity software, said business leaders are challenged with sourcing the necessary cybersecurity talent to keep their organizations secure as they balance distributed remote workforces and a growing number of endpoints with a threat landscape that continues to expand.
“This imbalance between the need to protect public and private-sector organizations and cybersecurity-trained professionals represents a bold opportunity for students to pursue a career in a massive industry,” he said.
Guccione explained that beyond compensation, Keeper Security seeks individuals who are passionate about their desired profession and skill sets.
“We are dedicated to developing global talent with the goal of helping our team members become the best versions of themselves and become self-actualized in their profession,” he said. “Cybercriminals aren’t waiting for the industry to close the workforce gap in cybersecurity.”
Therefore, he said, colleges, universities and technical organizations should develop, invest in and execute on cutting-edge cybersecurity curricula.
John Bambenek, principal threat hunter at Netenrich, a security and operations analytics SaaS company, pointed out that ultimately, threat research is not scalable with technology.
“You just need more humans to do more,” he said. “It also incentivizes me to focus on developing junior researchers, which benefits the industry and the landscape overall, anyway.”
He said he always preferred to do what he called ‘Rolodex hires’ when he can, because hiring is one of the most miserable tasks for managers.
“Once I have people in the door, I try to encourage as much professional development as possible and continue to try to direct work to their current interests,” he says. “Basic engagement with staff on a human level also helps beyond just shoveling JIRA tickets.”
Bambenek also noted that many organizations are relying on automation or machine learning to try to fill the talent gap.
For instance, SOAR, besides solving the security problem, can organizations do a lot of incident response work automatically instead of relying on humans to do it.
“We are running into automation that doesn’t work and new security problems that automation is not yet ready to solve, but there is a lot of promise of new tools and technologies in making humans more productive than they are today,” he said.
