Part one of a two part blog series that looks at the issues surrounding the cybersecurity skills gap
Reflecting on the time I recently spent with some of our sales engineers, I was reminded that one of the biggest issues faced by most of the end-user organizations we work with (through our value-added reseller [VAR] partners) is a lack of cybersecurity expertise. Organizations simply can’t recruit or retain all the talent they need to mount an effective defense against all the different threats they are facing.
We’ve all seen the stats – 82% of IT professionals report a lack of cybersecurity skills within their organization; more than 30% of cybersecurity openings in the U.S. go unfilled every year; by 2019, there will be one to two million jobs unfilled in the global cybersecurity workforce.
So, why aren’t more people flocking to cybersecurity? Particularly when cybersecurity professionals are being heralded as one of the job market’s hottest commodities, in a cybersecurity market that experts predict will grow to $170 billion by 2020? I think, to state the obvious, it’s because cybersecurity is hard, and only getting harder.
Cybersecurity experts have to stay on top of all the new threats facing their organization. That’s no small task, considering:
- A new zero-day vulnerability is discovered every week.
- There are an average of 200,000 new malware samples found on a daily basis.
- More than 4000 ransomware attacks are carried out every day.
- More than 13,000 Android devices are infected every day by a targeted malware campaign.
Cybersecurity experts also have to stay on top of the ever-growing number of highly skilled hackers targeting their organization, all of whom have different, yet extremely persistent motivations, such as:
- Nation states – looking to exert influence, disrupt activities, and gain an advantage (e.g. Russian hackers were implicated in tampering with the U.S.’ 2016 election, according to the Wall Street Journal).
- Criminal rings – looking to steal or extort money (e.g. Avalanche group, Dyn DDoS attack).
- Internal actors – looking to further their personal agenda or exact revenge (e.g. 78% of breaches originate from within the extended enterprise), or being used as pawns in an attacker’s campaign (spear-phishing targeting employees increased 55% in 2015).
In addition, cybersecurity experts have to try to identify and shut down all the different vulnerabilities (and ways attackers can get “in”) throughout their organization. The universe of attack vectors is exploding, as organizations increasingly rely on:
- Cloud computing – it’s predicted to grow 18% in 2017 to $246.8 billion in total worldwide revenue; three quarters of web sites were found to have vulnerabilities.
- Personal mobile devices – by 2017, the total number of mobile phone users will rise to 4.77 billion.
- Internet of Things (IoT) – it’s estimated there will be 22.5 billion IoT devices by 2021; many of these devices can be exploited to launch attacks.
Cybersecurity experts have to deploy, manage and maintain a range of different cybersecurity technologies to try to protect against all the threats and attackers targeting their organization. They need to monitor, identify and shut down the attack’s ability to exploit all the different attack vectors that potentially exist.
As with everything in cybersecurity, determining what needs to be implemented to defend the ongoing operations of their business and the integrity and privacy of their critical assets is anything but simple. There were almost 600 vendors exhibiting at this year’s RSA and close to 250 startups doing things in and around the event. Almost all have marketing messages that make seemingly indistinguishable claims, offering overlapping capabilities that make the marketplace complex and confusing.
It’s hard for even seasoned cybersecurity professionals to navigate, so how do we expect someone entering the field to get up to speed on everything? How do we expect them to be able to identify all the different vulnerabilities, threats and actors they could come up against? How do we expect them to learn how to use all these different systems and figure out what to do?
The simple answer is we can’t expect them to do these things until we show them how to do them. If we are to address the cybersecurity shortage and recruit and retain vital cybersecurity personnel, we are going to have to change our expectations and adjust our approach. If we don’t, the cybersecurity skills gap is only going to get wider. For my thoughts on what these expectations should look like and what the approach should be to develop new talent to start to better address the skills shortage, check out part 2 of this blog series.