How to Manage Cybersecurity Staff Shortages

Uploaded on 2022-09-19 in JOBS-Training, FREE TO VIEW

The Need

It’s difficult to not sound like the voice of doom when suggesting the need for cybersecurity has never been greater, and thus the need for people skilled in it is similarly great.  
 
The simple truth is that during the last few decades the adoption of technology both at home and at work has increased exponentially.  But neither the understanding of that technology, nor the desire to build it, has increased similarly.  

Meanwhile, lockdowns from a once-in-a-century medical scenario have prompted embracing remote or hybrid working permanently.  In cybersecurity terms, this increases risk compared to more familiar models where employees work from one centralised location, easily protected by in-house hardware and infrastructure, with custom systems running over it.  According to Deloitte, this change in working practices has led to increasingly sophisticated cyberattacks, with those using unseen malware methods rising from 20 per cent to 35 per cent.  Similarly, the HP Wolf Security Rebellions and Rejections Report shows that 83 per cent of IT team members agree that the increase in home working has created a ticking time bomb for a corporate network breach.
 
At the same time, there is an ongoing misconception that organisations with “nothing to steal” are immune to threats.  However, they can still be held to ransom, with their website, social media, or even organisational operations taken offline until money has changed hands.  Health Service Executive (HSE) in Ireland is a telling recent example.
 
The Difficulty

Improved security technologies are assisting with this issue, but it still takes an experienced human to interpret that data and identify the most volatile threats.  This is why the LOG4J issue wasn’t resolved until many organisations were already vulnerable or even under attack.  The problem is that cybersecurity is a specialisation within IT so it’s a small pool of candidates within an overall pool that isn’t nearly big enough to meet the demand either.  This is made more problematic by the fact that lateral thinking fixes that might work for other parts of IT may not work as well for cybersecurity.  For example, at DigitalWell we have been analysing certain IT roles to identify where candidates may have transferrable skillsets from other sectors.  People good at finance may also make good business analysts while those exceptional at retail have the ‘people skills’ potential for client-facing IT project management.  
 
But cybersecurity is more specialised than those, so much so that it’s an expensive skillset for most firms to have on their books unless it’s a very big organisation.  The more immediate needs are likely for networking or client support.  And this is before you account for the trend for IT to be as involved with things like corporate culture change, profit-boosting, and staff retention as the HR or sales teams.
  
Short-term Solutions

This is why the first short-term solution for cybersecurity is to outsource some or all of it, even if only for the immediate future.  It makes more sense for the personnel within the organisation to take care of the IT work that involves their immediate peers, and sometimes it’s a relief to have someone to call when something goes wrong rather than have to figure it out yourself.  
 
Outsourcing aside, organisations should be making the most of what IT resources they already have.  For example, according to a recent report by the Ponemon Institute, 60 per cent of breaches in 2019 were attributable to vulnerabilities for which a patch was available, but not applied.  If you can stay on top of patching, your overall risk profile can be massively transformed.  Outside the IT department, others can assist in making the organisation more security-oriented in general.  According to the 2021 Verizon Data Breach Investigations Report, phishing is still at the top of security breaches and lockdowns have increased its use from 25 to 36 per cent of breaches since 2020.  

Similarly, 85 per cent of breaches involved a human element, indicating that better education might stop threats before they occur.
 
At a more strategic level, organisations need to change their mindset from perceiving home or hybrid working as temporary to being the norm.  Until we have more qualified, experienced IT people, firms will need to make concessions in this area to keep current talent and attract more.
 
Long-term Solutions

Lockdowns enforced home and hybrid working arrangements, but also reminded us of our basic needs for work/life balance, human contact and socialisation, and empathy.  Within organisations, there has never been a better time for IT and HR policies to support each other in ensuring that current staff are retained and new staff attracted by a flexible and humanistic approach to working arrangements.  We’re seeing this move to more empathic IT systems and HR policies amongst a number of our clients, and in different sectors.
 
Outside the organisation, more work needs to be done.  There is a misconception among the very age groups we seek to attract to the IT industry that either IT work is all about coding and nothing else, or that coding is ‘beyond’ most people.  But not all roles within IT are quite so ‘hardcore’ and if the candidate pool was larger in general then it would be far easier to find those who might specialise in cybersecurity within that pool.  

It is also important to remember that with human factors and regulatory issues being so important, modern Information security professionals do not always have to have a technical IT background  - many come from other areas like legal, HR or even facilities-management. Even within the IT sphere the integration of IT into almost every aspect of home life and the workplace means that people skills, project management, or analysis are now as important as the more ‘traditional’ technical IT skills.  This is the key misconception some of our senior leadership team are advising the UK government on via the Institute of Telecommunications Professionals.  

Rather than wait until people have graduated, this focus is on people of school age who might consider IT as a career path were it better understood, and consider apprenticeships.
 
In the meantime, there are plenty of other initiatives such as Women Who Code and CoderDojo that organisations can get involved with and that need their support.  These can either make people aware that IT presents an opportunity as a second career, or encourage children to understand the ease and potential of IT work at an early age.  

Finally, I would urge organisations facing a shortage to remember the ideal personality type for cybersecurity roles.  It’s not the same as an IT support role that offers relatively similar work from a comfort zone.  It's like the Matrix, engaging and ever-changing, where curiosity and an interest in the technology and its capabilities ensures that ongoing learning is second nature and money is less of an incentive.

Chris Peregrine is Head of Product Management at DigitalWell

You Might Also Read:

Why A Managed Security Service Provider Should Be On Your Cyber Roadmap:

 

« Containers Are Temporary, But Container Data Is Not
CISA's Threat Intelligence Program Was Defective »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

National Trading Standards eCrime Team (NTSeCT)

National Trading Standards eCrime Team (NTSeCT)

The National Trading Standards eCrime Team tackles online consumer scams, rip-offs and fraud, as well as those committed by text or email.

New Zealand Internet Task Force (NZITF)

New Zealand Internet Task Force (NZITF)

The New Zealand Internet Task Force (NZITF) is a non-profit with the mission of improving the cyber security posture of New Zealand.

Synectics Solutions

Synectics Solutions

Synectics deliver solutions for reducing risk, combating financial crime, and enabling organisations to meet their compliance and regulatory commitments.

Consortium for Information & Software Quality (CISQ)

Consortium for Information & Software Quality (CISQ)

The mission of CISQ is to develop international standards for software quality and to promote the development and sustainment of secure, reliable, and trustworthy software.

Oceania Cyber Security Centre (OCSC)

Oceania Cyber Security Centre (OCSC)

OCSC engages with government and industry to conduct research, develop training opportunities and build capacity for responding to current and emerging cyber security issues.

CipherBlade

CipherBlade

CipherBlade specializes in blockchain forensics, data science and transaction tracking.

CyVolve

CyVolve

Cyvolve is the next great leap forward in data security, ensuring constant encryption and pervasive control over all your data.

Cord3

Cord3

Cord3 delivers data protection, even from trusted administrators – or hackers posing as administrators – with high privilege.

Netlinkz

Netlinkz

Netlinkz has developed the Virtual Secure Network (VSN) overlay technology platform, a breakthrough in connectivity security, speed, and simplicity.

Argentra

Argentra

Argentra is a specialist engineering company, we have years of experience developing custom security software and providing security risk consulting.

GitProtect.io

GitProtect.io

​GitProtect is a fully manageable, professional GitHub and Bitbucket backup and recovery software that protects repositories and metadata from any event of failure.

Center for Information Technology Policy (CITP) - Princeton University

Center for Information Technology Policy (CITP) - Princeton University

The Center for Information Technology Policy at Princeton University is a nexus of expertise in technology, engineering, public policy, and the social sciences.

Cornami

Cornami

Cornami delivers real-time computing on encrypted data sets, which is vital for data privacy and cloud security.

Prembly

Prembly

Prembly are a compliance and security infrastructure company.

Assura

Assura

Assura provides innovative cybersecurity advisory and managed services to all industries including government, healthcare, financial, manufacturing, and transportation sectors.

National Cybersecurity Competence Center (NC3) - Luxembourg

National Cybersecurity Competence Center (NC3) - Luxembourg

The purpose of the is to strengthen the Country's ecosystem facing cyber Luxembourg National Cybersecurity Competence Centerthreats and risks.