We need cybersecurity workers and a lot of them. As of today, there is a gap of 3 million jobs that need to be filled.
One would say that people don’t want to apply for such jobs because of the stress it induces.
That is true. Attacks are increasing year after year. 2020 saw a dramatic rise in the number of cyber-crimes (300%, compared to 2019, according to the FBI). It appears that 2021 follows the same pattern as the last several years before the pandemic.
And these attacks have growing consequences too. The cost of successful cyberattacks increases, leaving breached companies with financial difficulties on top of reputational and trust aftermaths. It leads companies to rely more and more on the shoulders of their cyber security teams. They ask them to protect better, but the budget is lagging. As a result, the cybersecurity world is in crisis. Among cybersecurity professionals surveyed, 64% are stating that their organizations suffer from a talent shortage and have to face an increasing threat. The teams are thus overworked and understaffed.
This is why the stress among cyber professionals tends to be industry-wide. Most of them have to face situations where they need more budget, more hands, more eyes to look everywhere as the attack surface is irremediably growing. Furthermore, they bear the ultimate cost of a breach since they are the last wall of defense. It is no wonder that, across most companies, Chiefs Information Security Officers (CISO) face a workplace where physical and mental problems are an everyday problem among understaffed and overworked teams.
Is this situation sustainable?
This situation cannot go on forever. Cyber professionals can’t be let on their own, with the burden to protect their organizations. They need solutions; they need help.
Of course, there are some fixes that organizations could implement:
- First, they would need to change their mind about their recruitment processes, recruiting potentials instead of already qualified personals;
- Also, to alleviate the burden, they could go forward in automation.
All in all, companies need to adapt to the reality that the threats are growing.
As attacks grow in number and quality, the cybersecurity talent shortage is not being filled up.
Cyber attacks are vowed to increase, implying the same for the future demand regarding the cybersecurity field. Indeed, as of today, cybersecurity is among, if not the first, the top priorities across a wide range of executives. But, the lack of workforce stock is creating a gap between offer and demand.
Vulnerabilities are growing, and so are attacks.
Multiple factors are making vulnerabilities growing. Conservatively, IoT devices will surpass 25 billion in 2030 from 10 billion in 2021. Each new one is expending the attack surface of the corresponding entity. Therefore, it brings enterprises a substantial challenge about securing all the data flowing by those devices.
Working in a digital space: remote work and cloud services
On top of this, the COVID pandemic made inroads for cyber attacks by forcing businesses to move to remote work on short notice. Staff members were forced to work from home, sometimes without proper preparations, practices to follow. Organizations thus multiplied endpoints, growing the risk of breach.
Also, the cloud is going to be the new normal. The workload on-premise is expected to drop to 38% in 2021, against 59% in 2019. COVID-19, lock-downs, and work from anywhere have indeed strengthened demand. Companies are looking to move to the cloud to save money, become more agile, and drive innovation. Moving to the cloud also expands the attack surface, increases potential risks and points of attention. Hybrid cloud will be important in the foreseeable future; 90% of global enterprises will rely on such mechanisms by 2022.
Cyber attacks cost more and more to their victims, and less and less to their attackers
As for cyberattacks, they are dramatically expanding, especially in recent years. During 2020, cyber-crimes soared 300% compared to 2019. But there’s more. Besides their expansion, they also cost more to their victims. In 2020, a successful cyberattack implied an average cost of $3.9 million across Small and Medium Businesses.
Is this enlargement purely contextual? Cyber attacks are also thriving in 2021. Low detection and prosecution ratio is inciting cyber-criminals to act. The grey legal zone depicting cyberspace, the absence of a specific legal framework, involves a cost/benefits balance attractive for cyber-criminals, who, operating from other countries, tend to develop invincibility sentiment.
More, the cost of launching cyber-attacks campaigns is decreasing day after day. Ransomware as a service is now a thing. Wannabe hackers can go on the dark web and afford state-of-the-art ransomware. From $3 trillion in 2015, cyber-crimes are projected to cost about $10.5 trillion to companies worldwide by 2025.
There is no other way around. Companies, from anywhere and of any size, need to strengthen their security.
We need more cybersecurity analysts.
Cyber professionals are acknowledging a talent shortage which is putting their organizations at risk. But, even though each enterprise would have the budget to hire enough talents theoretically, there are not enough talents worldwide.
Globally, in 2021, organizations would need 3.1 million agents to protect their information systems adequately. Although year to year, the number decreased from 4 million to 3.1 million, the gap is still wide open and, at first sight, not going to be fulfilled in the years to come.
More, among professionals working in the industry, only around half have a computer and information sciences degree. This isn’t to say that only half of the population working in the field is not adequately qualified, but it highlights the fact that the most qualified professionals are not enough.
This means that talents are scarce, whereas the needs are exponentially growing. And, of course, Scarcity also means expensive. For example, in the US, the average salary for a SOC analyst is 30% higher than the average US salary. In France, it’s 50% higher.
Ultimately, a competition for talents ensues. In this game, only big companies would fulfill their needs because of better resources. Although also at risk, small and medium companies are left behind with limited resources facing increasing attacks. Externalizing security is a solution, but availability becomes a problem when actions have to be taken in seconds.
What are the solutions to fill in the shortage of cybersecurity talents?
The first solution would be about increasing the workforce. Private and public sectors are indeed trying to foster the means to recruit and certificate people. Still, the gap is too big. Companies need to face that reality and act to alleviate the burden on their limited resources with the help of new solutions.
Instead of looking for overqualified candidates, enterprises should look for potential to grow.
In 2020, 64% of cybersecurity professionals reported at least a slight shortage in their staff. With the soaring of cyberattacks, those two factors are spiraling the pressure on existent cybersecurity staff.
More than 51% of cybersecurity professionals transitioned into cybersecurity from another profession: mathematics, business, finances, among others. Even if organizations would like to hire enough professionals, they could not. There is not enough qualified candidates.
Enterprises need to shift their mentality. The solution is not to find the perfect candidate but to find candidates who are willing to learn and train to become qualified in their enterprises. Companies should hire and train them from day one to make them security experts.
Some organizations are putting in place programs to hire people with little or no experience/skills in cybersecurity, such as IBM’s New Collar program. Hiring and making them learn the job on the go, with an experienced team, solving issues one at a time.
Also, to boost their staff skills and attract potential applicants, it’s common for organizations to contribute toward certification related-costs – approximately 40% of professionals surveyed by the (ISC)² reported that their organization partially paid their certification. However, certifications like CISSP take up to 4 years to validate.
Companies need to properly plan such training programs. Chiefs Information Security Officers (CISO) have to plan the cybersecurity architecture of their organization: look how many are needed, what programs can they put in place, how many resources are they willing to dedicate to the proper training of future employees.
One last solution is education. The cybersecurity field of study still doesn’t look attractive for many people. Women and minorities, for example, aren’t represented in cyber jobs, which are still considered a manly field. However, they could constitute a formidable reservoir of the workforce. Mentalities also need to shift here, making this field of study more welcoming for diversity.
Above everything else, it is time to scale up automation to overcome talent shortage.
Alert fatigue, exhaustion is a reality among cybersecurity professionals such as SOC analysts. Today, depending on their organizations’ importance, staff can face tens of thousands of alerts up to millions daily. Ultimately, analysts are unable to answer all alerts. On average, 50% of them aren’t answered.
Without appropriate tools, every one of these incidents can force analysts to dedicate way more time than they should, accomplishing repetitive tasks with no real value-added until a mistake is made.
Cybersecurity staff then devote a substantial part of their time to depart false incidents from real. The next day is more or less the same, understaffed and facing more and more attacks. Considering the potential risks of a breach, approximately $3 million for SMBs, the stakes are high.
As a result, more than half of security teams feel overwhelmed by the volume of threat alerts and associated risks. Enterprises, if they want to retain talents can’t let this issue go on forever. People need to be motivated; they need to see results in their daily tasks. Companies need to find a way to alleviate the burden, to ease their cyber professional’s lives.
One solution, besides the obvious workforce need, is to automate those tasks. Face it, the sheer number of alerts that analysts encounter every day is vowed to grow even more. Continuous staff expansion is not the solution. The cost implied by recruiting enough agents to treat all those alerts would be enormous for any organization, even and foremost for the largest.
Precisely, automation helps correctly identify threats, avoid mismatching the level of each threat. Furthermore, it also allows IT teams to automate their response to detected threats, one step forward than any SIEM. Plus, managing known threats automatically allows more time to hunt for unknown ones. Consequently, reducing MTTD (most companies take up to 6 months to detect a breach). In short, better prevent.
According to a SANS Institute report, half of SOC teams cite as a barrier to excellence the lack of an effective orchestration and automation.
By all means, as said above, no matter which type of organization, security is expensive. Thanks to its benefits, automation proportionally allows doing more with less human resources and makes their lives easier, and empowers their creativity, making them want to stay.
Organizations are facing and will face a growing threat. They must understand that cyberspace is becoming, or already is, a hostile environment by nature and that their security architecture has to face that reality. They need to fill their needs by changing their mind about recruitments and widen the scope, looking for potential to train, in addition to qualified workers. Also, to alleviate the existing burden, they need to automate basic tasks to handle known threats. As such, teams could focus on more complex and rewarding tasks, empowering their creativity and joyfulness at work.