As organizations begin to address the risks of an increasingly complex digital landscape, they are recognizing that cybersecurity challenges are compounded by a lack of available talent and skills to mount a necessary defense. The digital skills shortage in the U.S. is at a critical point, highlighting a need for increased investment in workforce training. The Biden White House recently said that roughly 700,000 cyber-defense-related positions nationally are unfilled.
Clearly, CISOs and leaders across the C-suite are focused on the challenge, and many are investing heavily in shoring up gaps in their cybersecurity approach. In an age when a cyberattack can be an existential threat to any organization, cybersecurity engineers will serve as the first responders to such threats.
But organizations are struggling to fill these roles. Cyber professionals face ever-increasing pressure to keep up with more sophisticated and complex threats. The burnout in the profession is significant. What’s more, there hasn’t been a good understanding of the variety of jobs that there are in cybersecurity, and the various skills that can be leveraged for those jobs.
What complicates the effort to fill these roles are the demands placed on them. A strong cybersecurity professional must have advanced skills and experience in the following: meeting the immediate needs of securing the enterprise while also satisfying regulators and compliance officials; keeping a close eye on protections for customers and their personal data; and, if an incident occurs, navigating those interactions and coordinating with law enforcement. These are skills rarely found together.
In fact, not only is there a challenge in filling day-to-day roles within the cybersecurity portfolio, there is also a leadership gap. Many highly skilled cybersecurity professionals avoid taking leadership positions in the field precisely because they do not feel prepared to take on these multivariate tasks.
The solution rests in a two-pronged approach.
#1. Leverage cybersecurity frameworks and automation.
Organizations need to reduce the demand on crisis cyber defense by deploying automated platforms and technologies, such as zero trust security, to screen out threats and examine their entire value chain — including suppliers, vendors and others who may be the source of the greatest potential risks. As part of this effort, trained cybersecurity professionals should be deployed during the software development lifecycle and across business processes so that security and protections can be embedded by design rather than bolted on later.
#2. Migrate cybersecurity to the cloud.
Another key area of focus needs to be shifting to cloud platforms for data storage and related security — and a number of cybersecurity officials agree. In the July 2022 Risk & Cybersecurity Study from TCS, 60% of CISOs and CROs said they feel confident they can avoid serious financial or reputational fallout from a major cyberattack in the next three years. In addition, 62% of the officers say cloud is at least as secure as on-premises servers, or more so. By migrating to the cloud, focusing on stronger passive defenses, and eliminating the weak spots associated with on-premises systems, CIOs and CISOs can greatly reduce demand on their cyber-focused teams.
Additionally, organizations need to address recruitment, training and retaining talent in a more systematic way. With additional support through paid internships and apprenticeships, not to mention event-driven recruitment like hack-a-thons, a strong digital recruiting and hiring program can create a far more robust talent pipeline.
Organizations can create curricula in collaboration with universities and technical schools that lead to more cybersecurity-trained graduates and cohorts each year. With six weeks of focused training during the university program, and an additional four to six weeks of on-the-job experience, an individual can rapidly gain the skills necessary to support cyber-security goals inside an organization.
In addition, organizations already have some of the highest-potential talent in their own ranks. By providing proper training, and promoting career growth through special incentives, they can simply shift existing talent into cyber-related roles.
To close the leadership gap in cybersecurity, organizations should avoid placing all authority for cybersecurity under a single officer. Rather, by deploying outside assets and programs, an organization can build a “virtual chief security information officer” function, with several specialized in-house leaders working with external support teams. Such an approach provides mission clarity for in-house teams, limits the drain on internal resources, and broadens the pool of talent available for leadership roles.
In short, it’s easier to staff cybersecurity teams when these roles are treated as representing a broad function rather than a single position — it’s an office, not an officer.
Such steps can expand the size and quality of existing cyber teams, creating a greater draw for future talent, while also reducing demand on existing teams.