While it is easy to picture Apple, Facebook and Google when you think of “tech companies,” the truth is that today almost any company can be considered high-tech. Any business that relies on information technology (IT) in the form of a computer network also needs to consider cybersecurity.
Cybersecurity now touches almost everyone in an organization, and as data increasingly flows through the various departments the need to secure it becomes more important. With more information comes more breaches. In the first half of 2018, more than four billion records were compromised to data breaches.
According to a study conducted last year by IBM and the Ponemon Institute, the average data breach can cost companies upwards of $3.86 million, while large-scale breaches can top $350 million. As the cost of attacks increases, the number of professionals available to fill open cybersecurity positions has not kept pace. Another 2018 study from the non-profit IT security organization (ISC)² found that demand for skilled security professionals remained the biggest challenge facing the tech world.
How Many Cybersecurity Positions Remain Unfilled?
There are 2.93 million open and unfilled positions worldwide.
“A shortage of nearly three million: This number may seem abstract, but it’s having a real-world impact on companies and on the people who are responsible for their cybersecurity. According to the survey, 63% of respondents report that their organizations have a shortage of IT staff dedicated to cybersecurity. And nearly 60% say their companies are at moderate or extreme risk of cybersecurity attacks due to this shortage,” the (ISC)² report noted.
More Than More Workers
But while the focus is often on the shortage of cybersecurity workers, just looking at the numbers doesn’t necessarily tell the full story. Having more bodies fill the openings might sound like the solution, but experts warn this isn’t the case.
“The many records compromised and the high cost of each breach tells us of risk exposure, not of an employment gap,” said Jim Purtilo, associate professor in the computer science department at the University of Maryland.
“There is no suggestion that we’d have substantially fewer breaches had companies employed a bigger crowd of cybersecurity workers, though that is probably the case at some sites,” Purtilo told ClearanceJobs.
“The problem is that too many companies treat security as something that is an add-on after the rest of their systems are designed and deployed,” he added. “They may employ smart cybersecurity workers, but if those professionals aren’t in the kitchen when the meal is planned, then there is only so much value they can offer when it is served. Security is something that must be baked in, not sprinkled on top. Not all corporate cultures reflect that yet. Those are the companies that will keep paying for breaches.”
fewer people = more automation
One way that cybersecurity could be improved is not from fitting more desks with workers, but by embracing automation instead.
“Automation has been, and is an enabler of operational improvements and IT security enhancement across our service portfolio,” said Brendan Walsh, senior vice president of partner relations at the 1901 Group.
“We consider automation an essential part of keeping employee satisfaction high by allowing our IT talent to focus on creative work versus repetitive tasks,” Walsh told ClearanceJobs. “Don’t get me wrong, the repetitious tasks are critical, but they are also perfect for automation, and technologies such as Robotic Process Automation (RPA) are paving the way for us to grow our business and scale.”
Walsh cited several examples where automation could help fill the shortage of cybersecurity workers:
- Automating the governance of service provisioning and orchestration using tools like ServiceNow service catalog, and RedHat to fully automate end to end provisioning based on our customers’ business rules.
- Automating the prototyping of virtual agent chatbots to resolve routine IT requests on demand, which is faster than relying on human intervention.
- Building scripts or bots that automate the generation of hardened server images that comply with our customers’ IT security policies, which increases security and saves time.
Cultural Shift in cybersecurity
Another way that the shortfall of cybersecurity experts can be addressed is through the promotion of a healthy culture shift that includes hiring professionals with substantial understanding of software engineering in addition to cybersecurity practices.
“As each area leverages deeper technology, we start talking in different technical tongues, so of course it becomes more difficult for younger cybersecurity hires to influence outcomes; when in doubt, leadership will err on the side of decisions that ‘make the product work’ first,” explained Purtilo. “Fortunately, dually-prepared professionals are available on the market.The best software engineering programs recognize security as a first class component of the quality mission, and they thus incorporate cybersecurity as a first class component of the curriculum.”
Even if the corporate world embraces this cultural shift, the demand for cybersecurity professionals will likely increase.
“In the long run, the way we meet demand will shift due to improved design and engineering practices; more people will do cybersecurity because better technology will enable us to handle more security needs for ourselves,” suggested Purtilo. “It was like that in communication. Almost a century ago it was projected that a significant percentage of the population would become telephone operators in order to meet growing demand for long distance calling. That prediction became true – a huge percentage of the population does now route calls. The technology shift simply lets us serve as the switchboard operators as we dial and route our own calls.”