The Cybersecurity Skills Gap–And How To Fill It

The Cybersecurity Skills Gap–And How To Fill It

If you’re active in the cybersecurity field, chances are you’ve seen, heard, talked about or experienced the paucity in trained cybersecurity professionals. Predictions vary, but Cisco estimates there will be a global skills shortfall of around 2 million by 2019; other estimates are even highter (up to 1 million per year, starting this year).

As an infosec professional, how should you react? Some recommendations: 

  1. Consider managed services. Boutique and larger security consultancies, as well as global providers like AT&T, Dimension Data, and Verizon offer a range of managed and professional services. Managed services can reduce the headcount required at your end, and simultaneously improve the security stance of your organization. Nobody really needs to invest hours or days per week scanning firewall logs when a managed services provider can automate that task!
  2. Automate, automate, automate! Speaking of automation, launch an infosec automation initiative, if you haven’t already. In our most recent 2016/2017 Security and Risk Management benchmark and maturity model, just 29% of organizations benchmarked said they fully automated all infosec business processes–yet 100% of the most successful and mature organizations did so. 
  3. Recruit from outside the infosec space. Network engineers are often underemployed these days, as network architecture has become more streamlined (and, with the advent of MPLS and SD-WAN-based services, more outsourced). Yet a good engineer has the mindset for expanding into the security space, particularly at the nitty-gritty infrastructure level. Areas to focus on include identity and access management and threat detection–both areas that with a bit of training, network folks can pick up on handily. 
  4. Set up, or procure, training in communicating technical risk in business terms. Nearly every cybersecurity professional we’ve spoken with laments the lack of individuals who can understand technical issues, and also communicate them in business terms. This is a problem across all of IT, of course–but it’s particularly acute in cybersecurity. Because security is often so technical and mathematical a discipline, most professionals who are truly strong in it haven’t focused on communications and business skills. (The few who have are likely working on Wall St.) That leaves infosec managers to their own devices when building up a bench of talent proficient in both business and techspeak. Don’t neglect this area–and where appropriate, enlist third parties.
The most important thing is to have a plan–recognize the challenge, and know that it will only get worse over time. Outsourcing, automating, and training are three good ways to build that talent bench when hiring isn’t an option.