The Crisis in Cybersecurity Staffing

Victims of organizational hacking continue to multiply, with the British Library’s IT systems crippled for months after a devastating ransomware attack in October. Meanwhile, market forces have done little to resolve the growing gap between the demand for cybersecurity (CS) expertise and the availability of suitably qualified professionals.

In this article we'll look at the disparity between supply and demand for CS professionals. What skills and training do cybersecurity experts need? How can organizations mitigate the staffing shortage?

What’s driving the demand for cybersecurity professionals?

The global economy depends on technology to keep it running. Opting out of the internet is not an option for most businesses, which means cybersecurity is a must.

Additionally, the “attack surface,” as Harvard Business Review (HBR) calls it, is expanding: “The number of applications used by a typical organization has rapidly grown over the last decade: according to recent reporting, typical organizations use 130 SaaS apps, up from 16 apps five years ago.”

With the number of connection points growing rapidly, back in 2022, Forbes’ Nick Espinosa called cybersecurity a “recession-proof” career, acknowledging that every organization with an internet connection needs some level of cybersecurity.

What’s limiting the supply of cybersecurity professionals?

ZDNet reports that a 2022 study from Mimecast found one-third of CS professionals were considering leaving their roles within two years. The obvious question is, “Why?”

The answer is almost as simple: stress and burnout.

The increased number of attacks, combined with media attention, put CS workers under more pressure. Add increasingly understaffed teams to the mix, and you have the perfect storm.

And there is one more factor that has turned up the heat on CS workers over the past few years. As an ISC2 Cybersecurity Workforce Study points out, “This piles on top of nearly three years of rapidly evolving business and threat environments that started with cybersecurity professionals securely transitioning their organizations through accelerated work-from-home and cloud services deployments in response to the COVID-19 pandemic.”

One might assume that people would rush to fill the demand for this secure and well-paid career — but it’s not happening fast enough. Professional CS association ISC2 says, “We estimate the size of the global cybersecurity workforce at 5.5 million — a 9% increase from 2022, and the highest we’ve ever recorded. Conversely, the global workforce gap continues to grow even faster: The gap grew by 13% from 2022, which means that in 2023 there are roughly 4 million cybersecurity professionals needed worldwide. The profession needs to almost double to be at full capacity.”

What skills do cybersecurity professionals need?

Part of the challenge of cybersecurity is the constantly evolving threat level. CS pros must stay on top of the latest technology and threats, which can lead to a skills gap. For instance, ISC2 found “92% [of respondents] report having skills gaps in their organization — the most common being cloud computing security, AI/ML and Zero Trust implementation.” Those are just the newest skills that CS experts must master; there are decades' worth of basic skills that anyone entering this field must have.

Not just technical

It's interesting to note that the skill set required to be a successful CS professional extends beyond technical expertise.

Training specialists Coursera identify fifteen areas where the CS professional needs to be equipped with the right knowhow. Ten of these are technical, from Controls & Frameworks and Network Security to Cloud and DevOps. But the remaining five are 'soft' skills focused on the organizational effectiveness of the security professional:

• Communication,
• Collaboration,
• Risk Management,
• Adaptability  
• Critical Thinking.

In addition the professional will need to be familiar with the Regulatory Guidelines that govern the company's activities in various jurisdictions - anything from the European Union's General Data Protection Regulation (GDPR) to the Health Insurance Portability and Accountability Act (HIPPA)—a US federal law that helps protect the privacy of medical records.

Keep in mind that this is just a starting point. As the digital world continues to evolve, so will the demands of cybersecurity jobs. The preparation of a CS professional necessarily involves a 'continuing education' approach to specialized training.

Training and other ways to mitigate the cybersecurity crisis

Ongoing education for existing CS experts is an important way to keep up with evolving threats. For instance, the Financial Times (FT) reports that RingCentral “has developed a training program for cyber security staff ‘almost like a mini MBA’, building skills in boardroom communication, risk assessment and calculating returns on investment.”

The same article also suggests companies have found the skills they need by hiring people from the military, and advises that looking for candidates with all the right certifications may be a waste of time: “Broad skills, such as business acumen and calmness under pressure, can be just as important in cyber security roles as technical skills, which candidates can be taught.”

What is the role of AI in cybersecurity?

No discussion of problems to be solved in 2024 would be complete without mentioning artificial intelligence (AI). IS2C wonders, “Will AI advance how we identify and respond to threats? Will AI force us to rethink security roles and responsibilities that may eliminate jobs or create new ones? Does AI herald a new era of rapidly evolving threats? Will AI foster a combination of all three scenarios, as well as others we have not yet imagined?”

Writing in Forbes, Andrew Hollister foresees "greater reliance on automation and machine learning (ML) in cybersecurity operations, as these technologies can automate routine tasks and enhance the capabilities of their existing staff."

These kind of AI-driven tools free up cybersecurity staff "to dedicate their time and expertise to tackling more intricate and complex security challenges that require human judgment and critical thinking."

Automation to the rescue?

Greater automation is itself an effective defense against breaches because manual processes may themselves be entry points for cyber attacks.

IT Brief Australia advises companies to 'Automate! Automate! Automate!' : "To defend successfully against attacks that are bigger, more frequent and more sophisticated, organizations must embrace security automation. Any type of manual security process becomes vulnerable to evolving attack patterns and new zero-day threats."

As the demands on cybersecurity professionals grow, it seems certain the mounting of an effective defense against increasingly sophisticated attacks will be an area where the flexibility and power of today's AL and ML models will find ample application.