The global cyber security industry is suffering a worker shortage of approximately 3.4 million according to (ISC)2’s 2022 Cybersecurity Workforce Study. Cyber crime is on the rise, the workforce is under-resourced, and the plethora of security solutions continues to grow. What does the cyber skills gap mean for organisations attempting to secure their systems and data from increasingly sophisticated threat actors? We consider the impact.
Recent high-profile cyber attacks have brought organisational cyber security practices and threat preparedness to the fore. Compliant, effective security is now a board-level priority. As a result, the demand for a well-equipped and expertly trained cyber security staff has never been greater.
In an already scarce market, Gartner reported a further 8 per cent increase1 in demand for skilled security experts in 2022. Vacancies flood LinkedIn, but crucially, positions remain unfilled. In fact, 36 per cent of CISOs now rank cyber security resourcing as their key security challenge.
As expansion continues across corporate networks to facilitate flexible working and the associated IoT, overstretched security teams are tasked with mastering an increasingly diverse and hostile digital landscape. Vulnerabilities are almost inevitable.
In many organisations the sophistication and technology employed by cyber criminals now outstrips the capabilities of in-house staff. Without adequate cyber security skills and resources, teams are left playing catch up.
What’s to Blame for the Cyber Security Skills Gap?
There’s no question that cyber security is a candidate’s market. And it’s not a new problem. These skills have been in high demand since the early days of firewalls and anti-virus. But consumer organisations and cyber support teams alike are now feeling the effects of the widening skills gap in earnest.
So why is the cyber skills gap so pivotal in 2022? There are several factors…
Highly skilled and crucial to business operations, cyber security roles are expected to offer appropriate remuneration to attract talent. When polled by (ISC)2, 27 per cent of candidates cited high salaries and generous compensation packages as a key motivator behind their choice to pursue a career in cyber security.
But in a time of rising global inflation and ever-increasing overheads, tighter budgets may preclude organisations from bagging the best talent in cyber security.
Struggles in Retention
The skills gap is keenly felt from recruitment through to retention. Up from 53 per cent in 2021, 60 per cent of organisations approached in recent research are now experiencing difficulties in retaining their existing cyber security staff.
Competition is fierce and the highest performers are quickly identified and approached with lucrative offers. With finances a concern for many, it’s little surprise that candidates can be encouraged to jump ship for the right price.
A Field in Its Infancy
The university pathway into cyber security is promising but has yet to catch up with the unprecedented demand for certified staff. Enrolment is up, but many institutions are new to the game and courses are in their infancy. Today’s students are tomorrow’s specialists, but the road is a long one.
In the interest of retaining talent, many organisations are opting to fund on-the-job training and certification for junior staff. This forward-thinking strategy may stand security departments in good stead in years to come but does little to alleviate the pressures on existing teams.
Casualties of Role Creep
While academic entry points are on the rise, for many, the route into cyber security isn’t linear. According to research by IPSOS, 85 per cent of existing UK cyber roles constitute an amalgamation of cyber and general IT responsibilities.
With increasing compliance and regulatory demands, cyber security can no longer be treated as a bolt-on to day-to-day IT support. And businesses are waking up to this new reality. Whether via a breach or new insight, organisations are becoming increasingly aware of the need for dedicated cyber security resources and seeking solutions accordingly.
When up-skilling is continuous and the latest certifications are essential, security specialisations are commonly carved out to maintain the depth of knowledge required. A highly specialised team is an asset to any organisation. But as the security toolkit grows (an inevitability!), so too should the team, or else risk a substantial increase in workload and a dilution of understanding.
What Does the Cyber Skills Gap Mean for Your Security?
60 per cent of organisational decision makers now agree the global shortage of qualified cyber security staff creates additional risk to their business.
This sentiment’s echoed within the industry. (ISC)2 asked cyber security professionals their perception of additional risk incurred due to staff shortage. 54 per cent of those with significant staff shortages described the risk as “Moderate”. 20 per cent categorised the risk as “Extreme”.
The same respondents acknowledged that “oversights in process and procedures”, “misconfigured systems” and the need for “proper risk assessment and management” could have been remedied with sufficient levels of trained cyber security staff.
Recent data on reported security breaches bears out this concern. A massive 83 per cent of organisations polled have now suffered more than one breach. Ransomware attacks alone saw a 105 per cent spike in 2021. Perhaps even more concerning is the frequency, with attacks now being lodged once every 11 seconds.
Lightning-fast development and deployment of new technologies requires organisations to adapt security systems in motion. Cloud services, open systems and an increasingly remote workforce leaves businesses open to configuration mistakes, poor security hygiene and gaps in maintenance. Increasingly complex combinations of software and suppliers creates the potential for clashes and vulnerabilities when teams can’t practically manage security demands.
According to Cybersecurity Solutions for a Riskier World, breaches attributable to misconfigurations are predicted to increase by 49 per cent in the next two years. Poor maintenance is expected to account for a 40 per cent increase.
From operational impact to financial loss, the material damage caused by attacks shouldn’t be underestimated. The average cost of a data breach to an organisation has increased by 12.7% since 2020, hitting an all-time-high of $4.35 million in 2022.
Less quantifiable but equally – if not more – harmful is the damage to reputation and consumer trust in the wake of a breach. When compromised customer data is front-page news, organisations can’t afford to neglect a properly resourced team and regularly interrogated security strategy.
So, What’s The Solution?
The challenge of resourcing cyber talent extends far beyond low staff numbers. As threat actors develop their technologies and methods, the breadth of skills required to adequately secure business environments must keep pace.
Cloud security specialists are in high demand, but so too are SOC analysts, network architects, incident response specialists, NOC operators, penetration testers… For many, there may be no quick fix in-house. That’s where external solutions come in.
According to feedback in Gartner’s recent cyber skills gap webinar, almost 80 per cent1 of respondents are now considering external managed services as a solution to the gaps in their security arsenal. And for good reason.
Investing in a trusted security partner grants organisations access to a wide network of world-class expertise. When hiring seems near impossible, a strategic alternative is available.
Threatscape is pleased to offer the next generation of security posture management. Overwatch for M365 Security is a continual optimisation service that offers your organisation access to award-winning Microsoft security expertise across the entire M365 platform. If you’re struggling to recruit cyber security personnel, we may have the solution.