by John Mason
Hackers everywhere are rejoicing.
According to new data, 51% of companies say they have ‘a problematic shortage of cybersecurity skills.’ This number has risen year upon year. Cyber attacks are commonplace, and the number of data breaches in the U.S. rose to 1,579 in 2017.
It’s a matter of when your company will be hit by a cyber attack, rather than if.
Naturally, companies need security officers in place to fight the rise in cybercrime. So the skills gap is an issue, as we need as many cybersecurity pros out there as there are Mr. Robot-types. Employers need to be clued up on exactly what’s going wrong to solve the ever-increasing problem of the skills gap.
Major Breaches and Their Implications
Here is a graph depicting the biggest data breaches of recent years by how many accounts were compromised:
In 2017, Yahoo admitted that all 3 billion accounts had been compromised in cyber attacks in 2013 and 2014. This is the biggest data breach in history so far. Hackers were able to gain access to names, dates of birth, email addresses, and passwords of account holders. Because Yahoo was in the process of selling the company to Verizon, the admission meant around $350 million was knocked off Yahoo’s sale price.
In 2015, the Office of Personnel Management (OPM) announced two separate but related security breaches that affected nearly twenty million security clearance applicants, as well as 1.8 million individuals who had been listed on the security clearance application. The information breached in this case was particularly sensitive, including private information on everything from debt to sexual behavior.
And as technology advances, there are new risks to businesses.
The Internet of Things (IoT) makes us all vulnerable.
“The threat of DDoS will be accentuated with the increased usage of Internet of Things (IoT) connected devices in the enterprise, which when left unsecured, can become pathways as well as slave nodes, and add to the DDoS traffic stream,” predicts ISACA expert Ravikumar Ramachandran
With so many smart devices in use, there’s more room for hackers to find gaps in your cybersecurity. In 2017 there was a 27.4% increase in cybercrime. This cost companies $11.7 million dollars, on average.
The huge cost associated with cybercrime mean that cybersecurity professionals are in demand now more than ever.
The Skills Gap Explained
Yes, cybersecurity professionals are in high demand. But companies are finding it increasingly difficult to hire individuals with the right skills. Recent surveys show there is a large amount of anxiety among organizations.
“Considering the recent high-profile threats that have been attributed to unpatched systems, it’s no wonder respondents are concerned that a technical skills gap could leave their organizations exposed to new vulnerabilities,” said Tim Erlin, VP of Product Management and Strategy at Tripwire.
But not all IT skills are created equally, or in equal demand. Their top focus is on network monitoring, IT fundamentals, and vulnerability management.
The skills they’re most worried about losing are:
- Staying on top of vulnerabilities (52%)
- Keeping track of software and devices on the network (29%)
- Identifying and responding to issues promptly/staying on top of emerging threats (24%)
These are the areas where organizations believe a tech skills gap exists.
But it’s not just technical skills in demand. There is also increasing demand for cybersecurity professionals that have soft skills. You know, the kind of skills that Roy and Maurice from The IT Crowd are lacking (even though we love them). 72% of companies believe the need for soft skills has increased.
These are the kinds of skills they are looking for the most:
Companies are looking for analytical minds and good communicators. They need professionals who can link cybersecurity issues to the priorities of a business. And communicate those issues well to get the entire organization on board in dealing with cybersecurity. The increased risk of attacks means organizations want people who can solve difficult problems under pressure for this reason.
Integrity and the ability to handle confidential information are self-explanatory. The skills gap isn’t just technical skills but also soft skills – the stuff that makes someone a good, well-rounded employee.
But if these skills are in such high demand, why are they lacking?
Causes of the Skills Gap
Some believe it’s an STEM problem. But more likely, cybersecurity is simply not an appealing profession. By 2021, it is expected that there will be 3.5 million unfilled cybersecurity jobs.
Those coming up in the IT industry are simply not choosing security.
“I think there is always going to be a certain percentage of people that look at the profession negatively and feel like they’re going to be a scapegoat when things go wrong,” says David Shearer CEO of (ISC)2.
This is true in some cases.
47% of C-Level executives think the primary role of a CISO is to be “held accountable for any organizational data breaches.” There have been some very public cases recently in which CISOs have been at the center of company scandal.
Facebook CISO Alex Stamos will leave the company in August 2018. A report suggests that Stamos’ departure is due to internal disagreements over Russian interference on the social network.
Furthermore, when Equifax suffered a major data breach in September 2017, its Chief Information Officer and Chief Security Officer were forced to resign a week later.
The resignation of security professionals in cases like these helps quell a public outcry.
The role of CISO is seen as a high risk – low reward job. When it hits the fan, you’re the first out of the door.
But it’s not all bad. Some individuals are made for that kind of role.
“The people that tend to throw themselves into these types of areas, those are the people that are out there who say, ‘I’ll take the risk because I think I can make a difference. I think I can do this,'” said David Shearer.
How to Solve the Skills Gap
If the job has little appeal, then we need to make it more appealing. And to a wider group of people. Organizations currently get very few applications for cybersecurity positions.
One in five get fewer than five applications, and only 13% get more than 20 applications.
The answer could be diversifying the industry. Millennials and women are particularly underrepresented in the cybersecurity industry. (ISC)2 calls them “an untapped talent pool.”
Employers, therefore, should reach out to women and millennials internally and externally.
It’s also a good idea to reach out individuals in other professions who could adapt to cybersecurity work, including law enforcement, accounting, and communications professionals.
Another issue that needs to be solved is the lack of basic and soft skills within the industry. Applicants need to brush up on these skills if they desire a cybersecurity position.
Employers have a role in this, too, in that they need to state exactly what they are looking for in IT job postings.
Adrian Davis, Managing Director for the Middle East, Europe, and Africa at (ISC)2, believes the current state of job postings sends the wrong message to young people in particular,
“Young candidates tend to think that they need to have technical depth, but in reality, while hiring managers want to see candidates with good technical skills, they tend to weigh communication skills, analytical skills, business knowledge, and risk understanding higher than young candidates do.”
Clearly, half the battle is explaining the roles available in cybersecurity better, as well as marketing them better. This could encourage those new to cybersecurity that they have a place in the field. Whether that’s young people, or people in relevant roles looking to switch careers.
Another issue in the cybersecurity industry is employee churn. You can’t afford to lose your employees. But the vast majority of them are willing to move.
84% of cybersecurity workers are open to new opportunities or are already planning to find a new job in 2018.
You have to admit, that’s a staggering (and frightening) statistic.
How do you hold on to those precious cybersecurity professionals?
That’s where training comes in. Employers should upskill employees to improve their knowledge and expertise.
“We need to upskill some of our existing people in the industry so they understand the technology they are working to support,” says Ian Glover, President at Crest.
If employees have a better understanding of what they are doing and why they are doing it, they’re likely to have a greater passion for their job (as well as better skills). Essentially, if they believe they are doing some good, they will want to keep on doing it.
Overall, efforts to gain and retain new employees within the cybersecurity industry are key to closing the cybersecurity skills gap.
The major security breaches of recent years are anxiety-inducing. And new, innovative technologies now and in coming years increase the risk of cyber attacks. It’s more important than ever to have a strong cybersecurity industry. But there is a gap in both technical and soft skills among cybersecurity professionals.The cause of which may be a lack of job appeal due to the high risk/low reward nature for some CISOs.
Hackers shouldn’t rejoice too much, though.
With greater awareness of the skills gap, comes strategies for solving it. Companies today are making an effort.
In the future, employers need to appeal to a diverse workforce. They need to target women, millennials and those in other relevant professions to draw them over. Where skills are lacking, training should be put in place. Particularly because this will help retain employees in the industry.
The battle isn’t over yet.