How The Talent Shortage Changes the Approach to Cybersecurity
There’s good news, and there’s bad news. The good news is that the number of cybersecurity professionals has reached an all-time high. According to (ISC)2’s annual Cybersecurity Workforce Study, 4.7 million people currently work in a security-related job.
The bad news: the study also found a worldwide gap of 3.4 million cybersecurity workers. 70% of those surveyed also said they think their organization’s security team is understaffed, decreasing its effectiveness.
As cyberattacks grow increasingly sophisticated and threat landscapes expand, organizations need to get creative in their cybersecurity approach. It’s not enough to reset the parameters on building skill sets. We need to start reimagining what internal cybersecurity programs should look like from the ground up.
Cyber skills shouldn’t just be reserved for experienced and well-trained cybersecurity professionals. While the security team is running the show, their job is primarily to focus on the technology side of things.
But most cyber incidents are the result of human error or ignorance about best security practices. Unfortunately, sometimes the workplace culture doesn’t encourage employees to come forward when they see or do something unusual. That helps threats slip under the radar until it’s too late.
Security best practices only work when everyone is a part of the solution. This is even more important in the context of our current cybersecurity staffing shortages. Doing more to make security an “all hands on deck” atmosphere will help close the skills gap.
One of the biggest hurdles in closing the talent gap isn’t a lack of people with the right skills, but rather unobtainable standards for employees just beginning their careers. Too many entry-level positions want new hires to have certifications like Certified Information Systems Security Professional (CISSP) or Certified Information Security Manager (CISM). However, most prerequisites for taking the certification exams include several years of job experience (many require five years), are expensive (costing hundreds of dollars) and are difficult to pass on the first attempt. Then, once someone achieves certification, they aren’t applying for entry-level positions.
This approach has kept out many potential cybersecurity professionals who are just beginning their careers. Recognizing the certification roadblock in the talent gap, (ISC)2 jump-started a new initiative called One Million Certified in Cybersecurity. Participants enroll as an (ISC)2 candidate, where they will get free training in a self-paced course and a free exam opportunity. Once certified, the participant will have access to the professional development opportunities and resources that other certified professionals have. While the overall objective is to increase the available skilled labor needed in entry-level positions and beyond, it is also an opportunity for more people to explore a cyber career without spending thousands of dollars. Most importantly, it should offer employers confidence when bringing in less experienced talent.
“Employers need confidence that when hiring new entrants into the field they have a solid grasp of the right technical concepts, and a demonstrated aptitude to learn on the job,” (ISC)2 asserted, adding that with the creation of such a certificate, it will enable job candidates to “demonstrate to employers their familiarity with foundational cybersecurity concepts as determined by cybersecurity professionals and practitioners already in the field.”
Security awareness training doesn’t work. A study from Elevate Security found that, while security training does slightly lower phishing click rates in simulations, it has little to no effect in real-world attacks when that training really matters. Periodic online quizzes or annual lectures aren’t moving the needle.
A different style of training may make a bigger difference. When users understand the consequences of their actions and how to decrease risk, they become partners with cybersecurity professionals. The goal is to reduce human-caused incidents so the security team can focus on the tech side of the job. But first, users need to be better engaged in their awareness training activities.
During the Insider Risk Summit, the Head of Trust Culture and Training with Atlassian, Marisa Fagan, said that training should be fun. When training is enjoyable, employees feel like they are a part of something important to the company. According to Fagan, effective security training should be relevant and fast-paced and add an element of storytelling. You want to have employees talking about the session and sharing what they learned in casual conversations.
Fagan suggested training films that are actual movies; they have an action film’s drama and excitement but are tailored to highlight your organization’s security concerns. They’re much more engaging than a PowerPoint presentation, and that makes the training stick.
Reframing cybersecurity while dealing with a skills shortage will involve changing overall behavior. Just as security awareness training must be encouraging in order to be effective, enforcing security best practices will rely on user experience. You want users to reach the point of making better decisions and regularly doing the right thing, according to Ira Winkler, field CISO and vice president with CYE, who spoke at the 2022 (ISC)2 Security Congress.
Security teams can take steps to embed cybersecurity into job functions and modify IT interfaces to encourage behaviors that reinforce good security habits. Overall, employees should be “caught” doing the right things and rewarded for it, rather than punished for doing the wrong thing.
The skills shortage is not going to disappear overnight. However, with steps such as improving security awareness training or accepting beginner certifications as an entry-level qualification, organizations can adjust their approach to their cybersecurity posture and build a foundation that supports the cybersecurity team.
I began writing within the branded content/content marketing space in 2011, including articles, blog posts, SEO, Q&A, and profiles. My specialties are cy…
2 min read – In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely…
4 min read – Generation Z, which Pew Research Center defines as those born after 1996, is considered the first digital-native generation. This group of young people always has the latest technology at their fingertips. Yet even with this strong digital connection, the National…
4 min read – In 2012, Reveton ransomware emerged. It’s considered to be the first Ransomware-as-a-Service (RaaS) operation ever. Since then, RaaS has enabled gangs with basic technical skills to launch attacks indiscriminately. Now, nearly anyone can create highly effective malware campaigns. We now…
In March of 2022, a new federal law was adopted: the Cyber Incident Reporting Critical Infrastructure Act (CIRCIA). This new legislation focuses on reporting requirements related to cybersecurity incidents and ransomware payments. The key takeaway: covered entities in critical infrastructure will now be required to report incidents and payments within specified time frames to the Cybersecurity and Infrastructure Security Agency (CISA). These new requirements will change how CISOs handle cyber incidents for the foreseeable future. As a result, CISOs must…
Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…
With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…
In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…
Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.
