At the end of March, the Department for Digital, Culture, Media and Sport warned that 39% of businesses had reported experiencing cyber attacks or breaches of data security in the preceding 12 months. In its Cyber Security Breaches Survey 2022 report, it urged organisations to strengthen their defences.
Yet this is far easier said than done. The number of unfilled cybersecurity jobs worldwide grew from 1 million to 3.5 million in the eight years to 2021, according to research by Cybersecurity Ventures – and this gap is unlikely to close any time soon.
In the UK, the cybersecurity workforce shrank by 65,000 last year, leaving a shortage of 33,000 people, says Clar Rosso, CEO of not-for-profit security training and certification body (ISC)2.
The consequences for organisations that have struggled to find sufficiently skilled cybersecurity professionals, she notes, have been alarming.
“What we find is that they are experiencing misconfigured systems. They’re not spending enough on risk assessment and management. They’re slow to patch critical systems and they’re rushing deployments of new tech,” Rosso says. “The Russia-Ukraine conflict and the heightened cyber alerts; the zero-day vulnerability in the Log4j Java logging utility that emerged in December; the recent breach at [ID management specialist] Okta – all these things are making the situation even worse.”
Certain roles are proving particularly hard to fill. The US Computing Technology Industry Association (CompTIA) has highlighted specialisms such as penetration testing, auditing, risk management, governance, cryptography, social engineering and the development of defence systems that use artificial intelligence.
“In some cases, the rate of change in these fields is outpacing the speed at which additional cybersecurity professionals can obtain training, certification and sufficient experience,” reports CompTIA’s chief research officer, Tim Herbert. “Beyond the conventional technical or soft skills gaps, there may be perception gaps whereby employers try to hire a ‘unicorn’ candidate to fit a very specific mould. There could be location gaps and there could be pay gaps, which tend to be especially challenging for small and medium-sized businesses. And there could be confidence gaps among students or career-changers.”
With all these considerations in mind, how can organisations obtain the cybersecurity skills they so sorely need?
The first step is to define the key problems they need to solve, says James Hadley, CEO of Immersive Labs and a former cybersecurity trainer for the government and companies in the defence and finance sectors.
“Companies need to measure where they are with the issues they’re facing and, based on that measurement, identify their skills gaps,” he advises. “Such gaps could take the form of existing employees who don’t understand how their role pertains to cybersecurity, say, but the benchmark assessment could also prove having a deficit of security analysts, for example.”
The most obvious way to gain the necessary skills is recruitment, but the scale of the talent shortage is such that organisations may need to cast their net more widely than they’re used to.
The cybersecurity profession is notoriously white and male, with new arrivals in the sector generally having a background in IT. Encouraging applications from outside this demographic can give recruiters access to new pools of talent.
“We tend to see women and people from ethnic minorities take an academic route into cybersecurity. So, if you normally wouldn’t look to universities when recruiting, seek out people taking degree courses, because you tend to find a more diverse set of candidates on these programmes,” Rosso advises.
Her organisation conducted some research in this field last year. One of its conclusions was that people with more diverse backgrounds are more likely to be attracted to an employer if they can see people who look like them already working in the business. This is because “it leads them to believe they can be successful in your organisation”.
Rossi also advocates looking beyond pure technical ability. According to (ISC)2’s 2021 Cybersecurity Workforce Study, the most important attributes for cybersecurity professionals to have are strong problem-solving and communication skills, plus curiosity and eagerness to learn – all rated as being at least as important as professional certifications and experience.
“I recently spoke with some hiring managers who told me that if they see someone who possesses these skills, they won’t even worry about any shortfall on the technical side. That’s because they can teach the right candidates those skills in house or send them out for training,” she says.
Training up the people you already employ is the other main way to mitigate the cyber skills gap, of course. Indeed, 42% of employers responding to the (ISC)2 survey said that they considered this tactic to have the greatest impact.
As with recruitment, there’s a strong case for identifying people with the right non-tech skills and then giving them the IT knowledge they need.
“We can help to close the skills gap if we work to increase the cyber literacy of employees across the organisation – people who aren’t specifically working in cyber roles but individuals in finance, the legal team and other parts of the business,” Rosso suggests. “If we can increase everyone’s awareness, that will reduce the need for as many cybersecurity professionals.”
Achieving this will entail tailoring people’s training carefully, Hadley stresses.
“This is about ensuring that the right knowledge and skills are aimed at the right people in the right roles,” he says. “Non-technical employees need something that is measuring what decisions they would make in a given situation and how much confidence they would have in doing so. It should help them to understand the risks better. For members of the board, I might want to run a half-day facilitating session around a simulation.”
All these strategies will be necessary, given that the cybersecurity skills gap is widely expected to widen even further.
“Organisations need to start talking about the fact that this is a long game,” Rosso warns. “There isn’t going to be a magic pill.”