It’s coming: the ‘cyberskills shortage,’ which puts companies in desperate need of InfoSec and other specialised IT personnel but without the staffing pool to match. And the problem is more than simply technical — in Britain alone this lack of skills is costing corporations a staggering amount in terms of being more vulnerable to cybercrime and the financial losses that ensue.
There has been much talk of closer cooperation between the educational institutions, that provide the training, and corporations that have the burgeoning technical skills shortage, to try to solve this disparity. This process will take time and a concerted effort by both industry and the educational sector to provide workable solutions for the benefit of graduates, universities and employers alike. But until some of these joint accreditation and mentoring schemes begin to yield the right combination of skills and experience for these roles, the question is how do companies shore up defences if short on the specialist talent?
Organisations looking to increase their cyber defences need fully-trained experts who are able to hit the ground running and with the current skills gap this isn’t always feasible. With increasingly sophisticated malware and ransomware threats targeting all manner of critical data, the required InfoSec skills are becoming a much sought after commodity in the technology human resources market.
A recent National Crime Agency (NCA) report estimates that the cost of cybercrime to the UK economy is billions of pounds per annum – and growing. In the report, the NCA calls for more cooperation among businesses and law enforcement, while the UK’s Ministry of Defence (MOD) is launching its own “Defence Cyber Aptitude Test” —designed to uncover hidden cyberskills in otherwise untrained workers —to try to tap their natural skills to put to use in combating malicious actors.
The problem? Good intentions don’t always equal great results. Though this type of corporation is a step in the right direction, telling organisations to link up with law enforcement is one thing—even with solid data to back it up — but for companies to overcome their natural reticence for opening up to scrutiny by a public body is another. As for finding those “hidden gems,” well it all seems a bit pie-in-the-sky, so can the answer for the time being lie within technology itself?
Enterprises have been grappling for some time now with the looming skills shortage against a backdrop of increasing attack rates. To reflect this, most senior IT professionals expect their security budgets to increase over the next year, but that money needs to be spent wisely. Sometimes even the most costly tools can be more of a liability.
A significant number of IT pros would admit to ignoring security alerts when some of these tools start generating too many false positives. Given that 20 percent of companies now leverage more than 10 tools at once that generate these alerts, it’s no wonder InfoSec pros have had it dealing with these non-starter issues. They would much rather be trying to track down real-time threats that have serious ramifications and could end up costing the organisation both financially and in the loss of trust from their customers. Put simply, bigger budgets don’t guarantee better outcomes if security professionals and their tools don’t get on.
So how do skills-strapped and budget-conscious companies tackle the challenge of improved IT security even as the gap between needed and available talent continues to grow? One solution is automation; many security tools come with automation capabilities for intrusion detection, network access or endpoint defence, but too many companies are either reluctant to give up even a small measure of security control or haven’t taken the time to properly configure and test these options. It’s a solid starting point — by removing some of the unnecessary workload from the lives of InfoSec professionals, companies can encourage a shift from reactive security policies to more a more proactive approach.
But automation is only half the battle, especially as network complexity and endpoint numbers increase thanks to the emerging Internet of Things. Traditional, top-down security solutions are out of their element in this environment; new offerings are now on the rise that track end-user behaviour and experience in real-time to help identify threats and shore up the skills gap.
Bottom line? The cyberskills shortage isn’t a permanent state of affairs but it’s going to take some time for cooperation and training efforts to match corporate demand. Beyond bigger budgets, companies can bolster InfoSec success with increased focus on automation and attention to the end-user experience.