Infosecurity Magazine reported that two-thirds (66%) of global CISOs say they are struggling to recruit the right talent and a similar number believe shortages will only get worse, according to a new study from Marlin Hawk.
The global executive recruiter surveyed 500 cybersecurity leaders working in businesses with 500 or more employees across the US, Europe and APAC, to compile its report, Global Snapshot: The CISO in 2020.
To solve the problem in the long run, nurturing the next generation is key. Companies should offer graduate schemes, apprenticeships, placements and work experience, but with the understanding that it’s a long-term investment. Cybersecurity training and studying are both incredibly time-consuming processes, with it taking years for individuals to reach the skill level that is so sought-after. As such, in the present, one approach organisations can take to fill gaps is to expand the skillsets of overlapping roles. For example, there’s a lot of complementary goals shared between network and security administrators, so expanding their skillsets into a broader shared role is a natural fit.
Addressing the cyber skills gap is part of a bigger consideration of internal investment and therefore success is heavily dependent on buy-in from the board. Without support and investment in security in all its forms – policy, people, tools and training – then CISOs and CIOs face a daunting task. While legislation is a great driver for change, mandated compliance objectives naturally differ from the goals of the organisation itself. An opportunity for the organisation exists however where growth and security can go hand-in-hand – especially around the increase in data equity that security platforms hold. Emerging technologies that are revenue-generating, such as data science, can be utilised to maximise data equity and build the economics of an organisation whilst also materially reducing decision-making risk. This does lead to needing to better protect the valuable data equity as it grows and pushes revenue.
Statistics around the skills shortage are never in short supply, but remain concerning regardless. A recent report from the ISC2 claims a 145% increase in global workforce is needed to alleviate cybersecurity hiring concerns, as the threat landscape grows exponentially. This year’s DomainTools and Ponemon report on cybersecurity hiring and automation, which surveyed over one thousand IT professionals, found that the majority of respondents believed that automation will decrease the security headcount, but will not replace human expertise. Therefore, the security industry needs to continue to think creatively about drawing talent into cybersecurity, and governments need to recognise the importance of properly funding training schemes for cybersecurity: As data surpassed oil in 2019 as the most valuable commodity on earth, keeping this data safe and out of the hands of criminals should be a top priority.
The cyber security skills gap is becoming too large to ignore. Cyber security incidents and data loss pose huge risk to the UK economy, and with reports that CISO’s are expecting the global cybersecurity talent shortage to worsen in the next five years – it’s a matter of acting now or never. Evidently, a new approach to talent creation needs to be considered. Government, academia, law enforcement and businesses all have a part to play in talent identification and will need to work collectively. Innovation in technology should also be explored, such as leveraging solutions like Security Orchestration, Automation and Response (SOAR) to make better use of existing technologies already invested in whilst supporting and enhancing existing workforces.
One way to achieve this is through addressing diversity within cyber security and making training more accessible to people of all backgrounds. By doing this, businesses will be able to tap into more talent than ever before. Further to this, more diverse and inclusive cybersecurity teams will be key in offering a broader range of ideas and perspectives to detect and respond to attacks, defending UK businesses against cybercrime.