Cybersecurity skills shortage: 4 advices to better deal with it

According to a Gartner survey, 61% of companies are struggling to hire security professionals. In an area of low unemployment where the need for qualified workers is constantly growing, companies are fighting to discover and keep the experts they need to ensure the achievement of strategic goals.

More companies than ever are carrying business online. The developing digital footprint and frequently advanced cyber-attacks have produced a thriving necessity to secure that information and the devices companies are deploying. Gartner has predicted that the global spending on Information Security will expand to $124 billion in the year 2019. Despite of all of that spending, some security researchers predict that the cost of cybercrime will have quadrupled since 2015, touching $2.1 trillion by the end of 2019 and overtaking spending on cybersecurity by more than 16 times.

The truth is, companies are struggling to keep up with the cybercriminals. There are many speculations for this. Digital transformation, such as cloud adoption, SD-WAN, and IoT (Internet of Things) — leverage new and unexpected ways of attack. Let’s take a look at how companies are being affected by the shortage and the 4 bits of advice on how to deal with the security skills shortage.

How companies are being affected by the shortage?

A continuous supply of new and sophisticated cyber-attacks has been pushing the requirement for skilled cybersecurity staff to help protect businesses. For example, in the month of December of 2016, a researcher sent a simple message to a credit card monitoring company: Equifax. The message was “Your website is vulnerable to a cyber-attack”. The company did not patch the aforementioned vulnerability. They were breached six months later, in May of 2017, with hackers seizing sensitive data of 145.5 million Americans.

It’s an ultimate example of an all-too-common business failing because of cybersecurity readiness and shortage of skilled professionals. It turned out that the top executive handling cybersecurity at Equifax didn’t have much precise skills and knowledge of cybersecurity. This example clearly demonstrates that companies are facing tremendous cybersecurity skills shortage.

In the same way, the third annual global cybersecurity professionals 2018 research study, carried by the Information Systems Security Association (ISSA) and the Enterprise Strategy Group (ESG), observed that 18% of the companies declared having a shortage of cybersecurity talent. The deficit is related to fields in the cloud, application, security analysis/examinations, risk strategy, security architecture, and penetration testing. One of the reasons explaining the shortage is the relatively new type of position coming with cybersecurity needs. Therefore, experts observe a clear lack of standardization around the titles and terminologies, this might be leading to lack of clarity in the career paths.

Let’s take a look at some of the major consequences that companies have to deal with when affected by the cybersecurity skills shortage.

According to the ESG research, 66% of the study participants insist that the cybersecurity skills shortage has resulted in an intensified workload on the current staff. Since companies don’t have sufficient skilled people, the extra task gets stacked onto the existing employees. This inevitably leads to IT misconfigurations, individual error, improper allotment of tasks to skills, and employee burnout at the end.

The ESG research also elaborated that 47% of study participants insist that the cybersecurity skills shortage has emerged in a failure to thoroughly learn or use security technologies to their complete potential. Organizations are purchasing expensive security tools but not finding the time to implement them due to lack of experience or resources to take full advantage of them. Product quality won’t matter if no one on the IT team knows how to use it properly. For example, companies are very concerned about malware and advanced persistent threats, while only one in five employees are confident about their ability to correctly use those security tools to defend against sophisticated attacks.

The ESG research further states that the cybersecurity skills shortage is responsible for recruiting and training junior employees rather than hiring experienced cybersecurity experts. As more companies are striving to satisfy the proficient roles, they have to take urgent choices to address their needs — though not certainly the right ones. The time and financial resources mobilized in the creation of a process to train the juniors or unspecialized employees is another big expense that companies have to plan.

The skills shortage also results in insufficient time to work with business systems to adapt cybersecurity with business methods. This does not help any business at the end. Organizations are creating or staking technologies as part of their business stakes, yet the cybersecurity team doesn’t have sufficient time to work with the business to decrease danger or secure business methods.

4 steps to better manage the shortage

Breach detection, proactive threat hunting, and incident response are intensive processes reliant upon high-level skills, so it’s reasonable to believe the cybersecurity skills shortage would have a serious impact here. Can anything be done? Yes! CISOs should expect they will be short-staffed and hence address cybersecurity demands by following these 4 steps:

Organizations must value their current workforce. It is a critical element of cybersecurity. New security solutions come into the market to support companies to protect their data, but without experienced, skilled workers to implement and use them, these tools aren’t going to get the job fulfilled. Companies should also try to maintain the best and brightest of their security workforce, invest in the professional improvement of those employees and strive to build a security practice through cohesion. Valuing your workforce can start from using tools to release them from the most redundant and less valuable task to develop a training program to empower the teams.

For example, many companies have huge development teams, but with little involvement in security. These experts often have the ability and interest to acquire the required security skills and step into a new role. To work on this point, companies can offer on-site security workshops by outsourcing the training to a third party. If an employee can identify a way to leverage his work and take on new responsibilities in the security field, he is more likely to join.

Security automation is a mechanism that can be utilized to eliminate security decision responsibility from workers. Automated software can be prepared to spontaneously detect particular security threats by recognizing threatening e-mail attachments and scanning inbound messages for malicious URLs. Once recognized, the software will also work to eliminate the threat. The standard methods like handling security by individuals are particularly prone to mistakes and misconfigurations which can drive to severe downtime, a broken audit, or worse yet, a data breach. In some instances, primary methods like decommissioning practices or servers do not take place because of bandwidth limitations, an error that can expose the network to cyber threats.

Security automation is the automatic administration of security operations-associated responsibilities. It is the method of completing these tasks, such as scanning for vulnerabilities, without human interference or consider an example of malware investigation. The following list of jobs will apparently look all too common:

● Monitoring email and other causes prone to malware infections
● Detonating files in a sandbox
● Implementing VM snapshots
● Reverse engineering malware
● Removing malware.

Migrating to the cloud-based security solutions comes with many advantages such as improved flexibility, administration, and scalability. Companies require cloud security that incorporates a firewall, antivirus, sandboxes, and other tools to watch incoming traffic and combat threats. There’s more to risk prioritization than just discovering vulnerabilities with the highest CVSS scores; determining where to direct your team’s works expects you to account for malware exposure, exploit exposure, and vulnerability age into prioritizing vulnerabilities.

For example, vulnerability management is the method of recognizing, assessing, handling, and reporting on security vulnerabilities in systems and the software that runs on them. Security vulnerabilities, in turn, point to technological flaws that enable attackers to compromise a product and the data it holds. This method needs to be implemented continuously in order to keep up with new systems being attached to networks, developments that are made to systems, and the identification of new vulnerabilities over time.

To help bypass this problem, cloud security solutions deliver vulnerability management software which can assist to automate this method. They’ll apply a vulnerability scanner and seldom endpoint tools to investigate a variety of systems on a network and discover vulnerabilities on them. Once vulnerabilities are recognized, the risk they pose requires to be assessed in various contexts so conclusions can be made about how to best handle them. For example, vulnerability validation can be an efficient method to contextualize the actual severity of a vulnerability. The scan consists of four stages:

● Scan network-accessible systems by probing them or transferring them network traffic.
● Recognize open ports and running services on scanned systems.
● Eventually, remotely log in to systems to collect additional system information.
● Compare system information with known vulnerabilities.

As mentioned earlier, many cybersecurity roles go vacant, because the supply of qualified candidates is currently smaller than the number of jobs available.

According to Deloitte’s 2019 Future of Cyber Survey, outsourcing part of your security effort can help improve speed and quality and allow the organization to do more with less. According to the survey results, almost all respondents say they have outsourced part of their cybersecurity strategy to third-party providers and 14% of total respondents say more than 50% of their cybersecurity operations are outsourced. Among CISOs, 65% say they have outsourced between 21% to 30% of their cyber operations.

Thus, getting the appropriate people for an in-house response team can be time-consuming. If an incident happens while waiting to fill those positions, a company is left vulnerable. Outsourcing means a company could be protected at a much faster rate. For example, if you are an organization handling sensitive information from your customer, you might be a target from an attacker. And as trust is a key business consideration nowadays, you cannot afford this risk wide open, you need to be able to answer in case of an incident. Outsourcing an incident response team may not only bring expertise but also an insight into possible defects in your functional incident response plan.

Training is another worth aspect of cybersecurity staff career development. Many companies can solve this problem of cybersecurity skill shortage by adopting a constant training strategy in their organizations along with individual’s self-improvement training. The challenge in cybersecurity is principally the influence of hackers’ TTMs (tricks, techniques, and methods) and this requests for constant education. According to the ESG research, 96% of the cybersecurity professionals recognized the significance of continuous learning, failing which companies will be operating at a notable disadvantage.

Do you want to be more efficient in your incident response? You want cybersecurity experts to support your business? Try SEKOIA.io for free now!

Chat with our team!

Would you like to know more about our solutions? Do you want to discover our XDR and CTI products? Do you have a cyber security project in your organization? Make an appointment and meet us!

Échangez avec l’équipe

Vous souhaitez en savoir plus sur nos solutions de protection ? Vous voulez découvrir nos produits de XDR et de CTI ? Vous avez un projet de cybersécurité dans votre organisation ? Prenez rendez-vous et rencontrons-nous !