How upskilling could resolve the cybersecurity skills gap
Guest post by David Steele, MD of SecuriCentrix and Cyber Security Analyst.
Cybersecurity has a skills shortage. The problem is so bad that many are referring to it as a crisis and are deeply pessimistic for the future. In a 2021 report by the Information Systems Security Association and Enterprise Strategy Group, the crisis was said to be continuing “on a downward, multi-year trend of bad to worse.”
Upskilling could resolve cybersecurity skills gap
The result has been that many companies face recruitment difficulties. An estimated 3.5 million vacancies went unfilled last year. (In Ireland, it’s estimated that 10,000 workers are needed to plug the cybersecurity gap.) And that means that businesses are struggling to maintain their security, and the staff they do have are forced to work under extreme pressure. It is difficult to conclude that traditional recruitment, hoping that the employment market can provide candidates with the right skills in place, will address the issue. As a result, more and more businesses are turning to upskilling.
Why is there a skills gap in cybersecurity?
Like so many challenges businesses face, the cybersecurity skills gap is a result of the Covid-19 pandemic exacerbating underlying trends.
Cybersecurity, by definition, is an evolving field. Every advance in technology, both hardware and software, can bring risks and challenges. We have, within just a few decades, moved on from a situation where security was largely physical: a business network was generally contained in a single location. With no external connection, it was simply a case of controlling access. For some, it might have been as simple as disabling drives and USB ports, or just having locks on the door. But since then, the field of cybersecurity has grown rapidly.
Email and the internet added more threats, creating new attack routes for networks. But the increase in working-from-home has created an exponential rise in the dangers. People now connect from homes that will probably have dozens of devices. The network that connects them to their work will also be connecting anything from their printer to their TV or fridge. And since most people are not cybersecurity professionals, each of those connections poses a risk.
Prior to the pandemic, while a growing, but still relatively small, trend of working from home might have been a headache, the pandemic transformed the landscape. Almost overnight everyone needed to be working from home, and cybersecurity became an urgent and real issue, even for those businesses that had never had to consider it before.
The problem was that there simply weren’t enough suitably qualified people to handle the size of the challenge. While many businesses had exceptional cybersecurity teams, they simply weren’t able to scale to meet the explosion in demand. Although professionals were able to make things work, they did so under unsustainable pressure.
The challenge of matching demand and supply
Although the intense pressure of the initial stages of the pandemic may have passed, cybersecurity professionals still face significant demands. With remote working now established as common practice, they must manage security in a wide range of uncontrolled environments. And this is against a backdrop of increased complexity with cloud solutions and multiple third-party connections. All of these add to the risk.
On the other side of the coin, those seeking to exploit vulnerabilities are constantly adapting their attacks.
Cybercrime is relatively cheap to commission and easy to carry out. With a low risk of detection and prosecution, cybercriminals can carry out attacks on an industrial scale. While most might fail, the rewards of a successful attack can be large. In a survey by PWC, nearly half of CEOs consider cyber risks a threat to their company’s growth, and nearly all expect the rate of attacks to increase.
Unfortunately, the traditional supply of staff is too small to meet the increasing demands. Taking the old approach of employing and developing recently qualified staff means the problems will remain for years until there are enough cybersecurity professionals in place. And while some businesses have had success in luring staff from elsewhere with attractive packages, the net effect is just to shift the problem; it just changes which company has stressed staff who are under-resourced and likely to suffer burnout.
Furthermore, in the end, everyone feels the effects of an industry-wide problem. When there are so many soft targets, there is an incentive for cybercrime, and a much better chance it’s successful enough to fund the development of new attacks.
Upskilling as the solution
With a shortage of new candidates, upskilling provides the answer to the cybersecurity skills gap. And it brings multiple benefits for both employees and businesses.
One of the first is that, ultimately, cybersecurity is everyone’s business. From the CEO to the new employee at home, everyone has a role to play in ensuring systems are robust in the face of a growing wave of attacks. While this does not mean that everyone in a company needs to be a cybersecurity professional, it does mean that everyone should be aware of the risks, how to spot potential vulnerabilities and attacks and the practical measures they must take to prevent them.
However, it can also produce a supply of cybersecurity professionals. Waiting for qualified entrants to the jobs market will take too long and, in practice, it’s likely they will not be qualified for long! The cybersecurity environment changes so rapidly, the knowledge many graduates gain at the start of their course may not be relevant by the end.
Instead, identifying existing staff with the soft skills,or power skills, to develop, adapt, and learn may be the quickest and easiest path to take. Even staff without a technical background, but with the necessary attitude and abilities, can, with training, fill entry-level positions and find a new career path.
The result is a win-win. Staff find themselves with new opportunities to develop and grow. The business will help to promote loyalty and commitment from staff. And, perhaps most importantly, there will be an adequate number of people to meet the demand, helping not just to protect individual businesses, but increasing sector-wide capacity in the ongoing fight against cybercrime.
Author bio: David Steele is the MD of SecuriCentrix and a Cyber Security Analyst. Founded in 2010, SecuriCentrix has grown to become a global Security and Compliance service provider to organisations.
As a Service Focused Cyber Security company, SecuriCentrix’s priority is to deliver the best client experience with minimal disruption while enabling highly effective operational cyber programs.
The firm has forged strong relationships with organisations across Africa, Australia, Europe, India, and the UK.