A lack of security talent hinders companies as they embrace digital transformation, move to the cloud, and deploy advanced analytics to understand their customers better
University of Waikato’s Cybersecurity Researchers of Waikato (CROW), receives weekly requests from companies to see if personnel or students would be interested in applying for a role or an internship in cybersecurity.
The government’s strategy notes that 3,445 cybersecurity incidents were reported to CERT in 2018. The problem won’t go away. The only way demand will decrease is by having a supply of knowledgeable cybersecurity workers.
Looking at the state of workforce internationally – the 2018 (ISC) Cybersecurity Workforce Study reports that the talent shortfall in Europe stands at 142,000 people. This is the same amount as a mid-sized European town. The huge gap between supply and demand should concern everyone who is concerned about safeguarding data.
While the study reveals sentiments from Europe, there is anecdotal evidence that New Zealand’s cybersecurity industry has similar concerns. The strategic remedies are the same for New Zealand as abroad.
A lack of security talent hinders companies as they embrace digital transformation, move to the cloud, and deploy advanced analytics to understand their customers better. Less obvious is the devastating effect the talent shortfall is having on the current ranks of cybersecurity professionals. They are overworked, stressed out, and too consumed with day-to-day activities to keep their own skills up to date.
Attackers have a skills edge
Research from Symantec indicates how significant the problem is. Symantec asked the opinions of more than 3,000 senior cybersecurity decision makers across France, Germany and the UK. Almost half (48 per cent) now believe that attackers have a raw skills advantage over defenders.
Burdened with the daily demands of keeping ahead of attackers, cybersecurity professionals have little time for their own skills development. This is one reason delegates at Symantec’s CISO Forum felt much of the current base of cyber security professionals, who have anywhere from one to three decades of experience, find the rise of cloud and mobility such a challenge to deal with.
Cybersecurity professionals are fed up with the stress and never-ending workdays. Some 64 per cent are considering leaving their current job and 63 per cent are thinking about leaving the industry altogether.
This, of course, could exacerbate the talent shortage. However, I have an additional concern. These highly skilled security experts love technology and security but hate working in a “make it through the day” corporate environment. It is conceivable some of these cybersecurity professionals could go to “the dark side” and become hackers themselves.
Adopt a new approach to security
To address the talent/skills gap, companies need to be creative and think in new ways.
Here are four key steps:
Evangelise to young people: Even as we ponder the current generation of cybersecurity professionals, we must prepare the next one. As an industry, we must evangelise and sell the idea of going into cybersecurity to young people.
In New Zealand there are organisations that showcase a wide range of career possibilities in Science, Engineering, Technology, and Math (STEM), such as The Wonder Project and Girls4Tech. These organisations work to inspire secondary and tertiary students in New Zealand to pursue STEM careers regardless of gender, race, or religion. Consider offering someone from your team to talk to New Zealand’s young people.
Cast the talent net wider: We must make a stronger effort to recruit people from diverse backgrounds. The Cybersecurity Workforce Study found only 24 percent of the workforce is female. Having a workforce made up largely of middle-aged white men provides a narrow perspective that exposes a company to social engineering attacks. This homogeneity of the profession is a concern, but it is also an opportunity. We have large groups to recruit from that have mostly been untapped. Think too about those looking for a career change, especially those from a profession that brings relevant skills.
Think beyond technology. Remember that cybersecurity is as much a social science as a technology endeavor.
At the Symantec CISO Forum, one delegate told about the benefits of hiring a psychologist into the security team who suggested initiatives such as praising those that raised a potential threat. The phishing simulation click rate at the delegate’s company dropped from 27 percent to 8 percent in just 12 months. By realising most cybersecurity tasks are not technical in nature, we can fortify our ranks with new kinds of professionals.
Eliminate routine chores: We need new approaches to reduce the mundane tasks that consume cybersecurity professionals and make their workday dreary and less productive.
Cybersecurity has become enormously complex and can often contain more than 100 different point solutions from a huge mix of vendors.
Using a cybersecurity platform to integrate those solutions can improve security and reduce the manual efforts required to manage it. In the same way, an integrated security platform can reduce the volume of false alerts.
Using AI, machine learning and other new tools frees cybersecurity professionals to handle tasks that are more important and rewarding. It also reduces the pressure on companies to immediately recruit more cybersecurity professionals.
As the talent/skills gap grows, we must be as creative as the attackers who confront us – both in our tools and recruitment strategies. The industry needs to keep data safe and its workers happy.
Mark Shaw is technology strategist at Symantec New Zealand
Sign up for CIO newsletters for regular updates on CIO news, career tips, views and events. Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.