Professional cybersecurity staff are hard to find - and it only gets worse!
For more than a decade, I have been working as a security professional at several companies of various sizes and in different industries. Over the years, I have noticed a worrying trend - lack of skilled security professionals to keep the hackers at bay. As a result, organizations kept being exposed to cyberattacks. In their desperation, organization scramble to hire staff as quickly as possible, often compromising on quality. But when employees don’t have enough experience or even the right skills to perform tasks, the organization will remain vulnerable. This is a critical issue, also since organizations are under pressure to comply with the rising tide of rules and regulations. They need cybersecurity professionals to help them out. But where to find them? Especially when there is a global shortage of security professionals that will reach two million by 2019 according to ISACA, a non-profit information security advocacy group. ISACA illustrates the growing crisis very clearly in its infographic below.
When looking for security personnel, organizations normally start by looking for suitable candidates themselves or they enlist the services of a recruitment company. But in some cases, recruiters are just not able to identify suitable candidates and might even publish incorrect job requirements.
A third option is to outsource the tasks to a cybersecurity consultancy firm. This makes sense, except for one thing - they are facing the same problem. That’s why they often detach junior employees, interns and sometimes even unqualified persons. This is an issue, especially when it comes to regulatory compliance such as GDPR, 23 NYCRR part 500 and SOX.
So what to do? There two obvious ways to go:
- Looking for professionals with other skill sets than the tradition tech background. By changing two key hiring requirements (tech background and previous experience in cybersecurity) a whole new talent pool opens up. As the (ISC)2 report points out, 30% of cybersecurity professionals worldwide launched their cybersecurity career after holding a non-technical role such as in business, accounting, or marketing. Some organizations, such as IBM, opt for hiring and training professionals hailing from retail, education, entertainment, and law. However, this approach takes time - a luxury that organizations just don’t have considering the rising tide of cyberattacks using innovative and damaging attack strategies. Cybercriminals use botnets to launch attacks quickly and without the need for human intervention. Furthermore, the ESG and ISSA 2017 report shows that cyber security professionals don’t have the time to continuously learn on the job although they know that it’s essential for mitigating cyber attacks.
- Opting for managed security service provider (MSSP). Partnering with an external cybersecurity company is a win-win, especially in light of limited IT resources and staff. It allows organizations to use automated tools in lieu of cybersecurity staff. Large enterprises are looking for advanced managed security services, ranging from threat management, vulnerability management, and anti-malware, to scanning and testing. They want to have the most sophisticated SECaaS solutions in place to boost their posture against the constant barrage of cyberattacks. Distributed organizations, such as hotel and restaurant chains, are prime targets. To protect each of their locations, they turn to advanced managed cybersecurity to protect their data, especially customer details and financial information. Small and medium-sized businesses (SMBs) such as law and accounting firms turn to managed security services since they have limited resources (both budget and HR wise) to protect themselves from cyberattacks while complying with the various regulations.
However, there is a third approach that is worthwhile - using automated procedures to fulfill the tasks of security staff with different automated security tools. This approach can overcome the shortage of security professionals. More specifically, security tasks such as collecting and analyzing data, reviewing code, vulnerability scanning and even performing pen tests, can be done by cybersecurity tools.
Cybersecurity companies such as Cymulate are able to deal with the increasingly complex and targeted cyberattacks on organizations of all sizes. Especially considering the stringent requirement of legislation such as the upcoming GDPR, enterprises are struggling to meet regulatory deadlines. To keep up with cybercriminals, opting for SECaaS solutions such as Cymulate’s Breach & Attack Simulation (BAS) platform as part of the cybersecurity arsenal is clever way to go.