Is Cybersecurity Having an Identity Crisis?
There has never been a better time to get into cybersecurity, or a worse one. The industry is crying out for professional skills but is also foundering in its efforts to retain and develop them. Employees in the security operations center (SOC) are not enjoying their jobs, and the cybersecurity workforce is losing existing workers as quickly as it finds new ones.
How Do we Stop the Rot?
The stakes are rising as companies face mounting cybersecurity threats, ranging from AI-powered attacks to highly evasive threats targeting the browser. We need to rethink how we recruit and develop our staff to tackle these challenges. We must also refine our approach to cybersecurity technology, focusing on new generations of tools built from the ground up to counter these emerging threats.
A Widening Workforce Gap
(ISC)2’s 2022 Cybersecurity Workforce Study revealed that we are taking on staff at an astounding rate, increasing 11.1% year-on-year in 2022 to reach 4,656,084. Unfortunately, the gap between the available staff and the demand for workers has grown even more quickly, ballooning 26.2% in the same period to reach 3,432,476.
What’s happening? The problems lie at both ends of the employee life cycle.
On the intake side, we make it harder for new entrants than it needs to be. For example, (ISC)2’s Certified Information Systems Security Professional (CISSP) is a requirement for many jobs, but you need at least five years of paid full-time work experience to get it. That’s a Catch-22 problem for many would-be cybersecurity workers.
The industry is also failing to draw from a wide enough talent pool. The workforce is predominantly male and white. There are some efforts to cast the net wider, with recruitment and training programs targeting veterans and neurodiverse people as well as women and BIPOC. However, these are the exception, not the rule. According to (ISC)2’s 2022 Cybersecurity Workforce report, barely a third of organizations have implemented diversity, equity and inclusion initiatives for cybersecurity employees.
Cybersecurity employees also tend to live in a blame-heavy culture. If a security incident happens, the cybersecurity team gets shamed, even if they have taken reasonable measures to prevent it. This, along with the shortage in skills, is driving high burnout rates among staff. Gartner has predicted that 25% of cybersecurity leaders will leave their jobs to pursue different roles entirely due to workplace stress.
Think Broad and Deep
How can we turn things around? Changing the culture and exploring diverse hiring and talent development initiatives are key, but these are part of a broader rethinking of enterprise cybersecurity.
For too long, organizations have treated security as a niche technical discipline. It’s time to expand our thinking and treat cybersecurity as a business function, investing in it strategically rather than making disjointed technology purchases every time a data breach hits the headlines.
This strategic investment must span two broad areas: Human and technological. Managers must develop cybersecurity workers’ skills more strategically, offering them a path for career progression within the organization.
Employee development techniques include structuring individual roles and team interactions. For example, rotating cybersecurity employees through different roles can help to develop a rounded skill set.
Companies can also create cybersecurity best practices in different areas, such as software development and infrastructure administration, documenting and sharing them between different teams. For example, pair programming enables software developers to check each other’s work for secure coding practices.
Measures like these build a well-rounded workforce with a range of cybersecurity skills, raising general security awareness and capabilities across the entire organization. Breadth is not enough, however. A strategic view of cybersecurity must extend up to the highest level of the company.
It is no longer acceptable for boards to be unaware of cybersecurity issues. They must be educated about its role in business risk to prioritize this integration of security with the rest of the business. They will drive a multidisciplinary approach spanning functions ranging from HR through to legal, from product design through to software development.
Board-level staff and the C-suite can also empower senior security practitioners to prioritize operations, training and threat intelligence activities by understanding the biggest cybersecurity risks to their particular organization and industry.
Good Management Decisions Come From Good Data
Ideally, these senior cybersecurity decisions will draw on a mixture of broader threat intelligence and internal cybersecurity incident data and performance metrics. That requires a more cohesive approach to cybersecurity technology in the organization.
The age of discrete, piecemeal technology purchases driven by short-term events is ending. It’s time to focus on interoperable cybersecurity tools that share data effectively. This is a key element to fighting cybersecurity’s skills gap. Beyond driving better security management decisions, it also helps staff in the SOC to make more joined-up decisions during the incident response cycle. Rapid data exchange reduces the friction involved for SOC staff in carrying out basic tasks, enabling them to do their jobs more quickly and effectively.
Rethinking Technology Strategy
Companies addressing the skills shortage can also mix both zero-trust and preventative measures into their cybersecurity technology stack. Zero-trust eliminates the innate trust that companies put in various online resources, assuming from the beginning that everything could be malicious and requiring property checks and authentication.
This zero-trust approach is increasingly important, especially as we enter the era of highly evasive threats targeting users today. Attackers are especially innovative, using evasive techniques to target web browsers and sidestep commonly deployed security solutions. They put everyone at risk by circumventing traditional detection-based security tools via methods including HTML smuggling and multi-factor authentication (MFA) bypass. They even target legitimate domains from some of the largest tech vendors with compromises that evade legacy URL reputation systems.
Preventive cybersecurity offers another level of help for SOC employees. What better way to reduce stress than by blocking out threats, to begin with, eliminating the need to chase attackers through your network? Isolation technology can help by preventing web-borne threats from reaching your network in the first place, processing them in secure environments instead before your employees see them.
It is possible to reverse the brain drain and build a robust cybersecurity workforce, but it will take mature, multifaceted thinking. Cybersecurity pros can begin by talking to senior management about the policy changes needed to create a fertile platform for cybersecurity skills development. You won’t make this journey overnight, but the investment will be worth it.
