How the Cybersecurity Skills Shortage Really Breaks Down

Ofer Elzam

The myth of a skilled cybersecurity worker shortage is pervasive. The reality is more complex. Many companies have the bodies in seats but grapple with optimizing their teams to meet today’s challenges.

While it’s true companies struggle with a lack of resources per the over 400 respondents to FireMon’s 2019 State of Hybrid Cloud Security survey, there’s evidence the staffing shortage is self inflicted. As Forrester VP and research director Joseph Blankenship notes, the two million cybersecurity job vacancies forecasted for 2022 is a problem of our own making and means rethinking how security pros are hired, trained and retained. It doesn’t exist in a vacuum.

Hiring Talent is Tightly Tied to Other Security Concerns

The skills shortage is just one of the five domains FireMon customers voice as being top of mind, but all of them significantly influence the personnel issues plaguing many security teams, even when there’s budget to fill open positions. Filling every seat in your Security Operations Center (SOC) doesn’t mean your team can do everything that needs doing, or that you’re able to manage them effectively. The lack of resources conundrum is confounded by the other four major areas that keep CIOs and CISOs awake at night, as highlighted in our 2019 State of Hybrid Cloud Security survey:

  • An ever-expanding range of vendors, with almost 36 percent of respondents either using native tools for each environment or manual processes, and 59 percent of respondents using two or more different firewalls in their environment;
  • An increased focused on incident response and the SOC;
  • The need for visibility into the mission-critical public cloud, even though 57.5 of respondents—more than half—spend less than 25 percent of their total security budget on the cloud; and
  • Increasing pressures related to compliance, governance and risk (GRC) management, which is holding back companies when it comes to putting workloads in the public cloud.

Organizations are grappling with what they must deploy to meet the daily demands of the business as well as emerging technologies adoption drive by digital transformation efforts, and it’s a challenge to find people who understand all the technologies out there. As your business operations and application delivery evolve, new security issues arise. And because not every security vendor can cover all the risk, it becomes necessary to implement more niche and best-of-breed solutions—all of which must be learned, deployed, integrated and optimized so they can work together effectively.

There’s also increasing pressure for the SOC to respond faster. When there’s an incident that comes through a specific solution, they need to understand what it means, what are the risks, how it must be handled and what the workflow is for that particular security tool. That includes whatever’s going in multiple clouds, which sometimes have their own siloed security teams. Add in a DevOps team building new applications, and there ends up being a lack of cross-functional capabilities and unified response.

All this is happening an era of increasing compliance, governance and risk management requirements. Global privacy legislation such as the General Data Protection Regulation (GDPR) or regional legislation such as the California Consumer Privacy Act (CCPA) or Canada’s updated Personal Information Protection and Electronic Documents Act (PIPEDA) all have notification requirements and other nuances security pros must be aware of. These four buckets add up to create and escalate the shortage of skilled resources. Add to that, retention issues abound, particularly as millennial security professionals are looking for new challenges as often as every two years in line with the corporate culture preference and career goals. Burnout is also a real issue as Dark Reading recently reported.

Even if you can fill the ranks it’s not reasonable to expect them to be experts in all fields, coordinate the work and do proper risk analysis across all domains. It’s also a 24/7 job, which is why you need to look at how you can support the security team with additional resources.

How Automation and Outsourcing Can Help

Regardless of budget, today’s pressures mean you must complement your own security team with other resources or bring in specialists to integrate tools and workflows. Outsourcing is an obvious avenue, but automation is essential if you’re to keep pace with the volume of threats and incidents common to any organization.

The pressure to respond immediately makes the case for partnering with a managed security services provider (MSSP) based in another time zone with qualified people who are an extension of your own team. Not only are they able to react quickly when an incident arises, but they should understand your security policies enough to make smart changes to them. It’s not a silver bullet, and it’s one more thing that must be managed, but it helps solve the incident response demands on your SOC. Combined with automation based on smart security policies and your security team can see some immediate relief.

Automation doesn’t mean no human involvement, no workflow, or no human approval, however. An automation tool should enable supervision, integration into workflows and change management systems, and allow approvals inside the organization to an MSSP change to be enabled as needed.

Successful Automation Requires the Right People

Neither outsourcing nor automation negate the need to have the right people with right skills to manage security. They can make the process more efficient, and free up time for the people you do hire, but they need analysis and planning skills so you can truly benefit from outsourcing and automation. Some repetitive and mundane tasks can be easily automated, but often risk analysis must be done to create rules, define the responses and implement them as a standard across the organization, regardless of the tool. That’s where network security policy automation delivers true value.

This is the first in a series of blogs addressing the cybersecurity skills gap. The next post in the series will detail discussions with CISOs on how they view this challenge.