Nearly every day, there’s a new report regarding cybersecurity attacks and risks, and no matter what upgrades and mitigation strategies are presented, things don’t seem to get any better. Why is that?
In the simplest sense, cybersecurity issues remain top professional and political problems because cybercriminals are faster and more focused than those on the mitigation side.
Furthermore, even in cases where organizations implement strong cybersecurity practices, the current skills gap makes it hard to stay ahead of bad actors. It’s only by bridging this gap that organizations will also be able to protect themselves from cybersecurity risks.
The Skills Gap: A Persistent Problem
When we talk about the cybersecurity skills gap, we’re actually talking about several problems wrapped up in one. For five years now, experts have surveyed cybersecurity professionals and evaluated the industry, and determined that there were not enough trained professionals in the field to keep up with demand. That’s leading to burnout among those who are working in the field, which makes the problem even worse, since burnt-out professionals are more likely to lead the field.
The other major issue facing the cybersecurity issue is that not all of those working in the industry are equally qualified. The skills gap can, then, can point to an overall shortage of workers or a sufficient number of workers, with many of those workers insufficiently trained. Increasing training program access and professional development could help resolve the latter problem, but needs to be funded, at least in part, by employers.
Move Fast, Don’t Break Things
In many other tech professions, fast evolution is a fun challenge. That’s because even if staff mess things up, the consequences are likely to be negligible – hence the saying, “Move fast and break things,” which served as Mark Zuckerberg’s infamous motto. But, in information security roles, there’s no room for mistakes. Mistakes can compromise propriety information, customer data, and other sensitive material.
At the same time as chaos – breaking things – is frowned upon, the cybersecurity field is still going fast, and this complicates things substantially. One way to enhance professional agility and response to threats without taking too many risks is by starting with broadly secure platforms and then extending those protections.
According to Blog.Box.com, information security management departments should choose software that is built with the CIA triad in mind: confidentiality, integrity, and availability of data. Those fundamentals are the foundation of a secure platform and reduce strain on overworked cybersecurity professionals, but it’s important to remember that they’re only the beginning.
Rethinking Hiring Practices
In addition to choosing inherently secure platforms as the basis for organization systems, another step that today’s businesses, non-profits, and government bodies need to consider if they’re going to close the cybersecurity skills gap is to change how they approach hiring.
Specifically, some advocate implementing new hiring practices based on soft skills with the hope of not only expanding the applicant pool for the field, but specifically diversifying it.
Why look for soft skills in such a technical industry? The answer is complicated, but there are several reasons this approach makes sense. First, many of the biggest problems in cybersecurity actually require automation-based solutions. And, second, historic hiring practices mean that only a narrow group of professionals have been identified as prospective staff, and a narrow hiring framework means a narrow set of solutions.
Training Expand Its Scope
If organizations are going to hire cybersecurity professionals based on soft skills, or even find new professionals at all, one step that’s going to be vital is training. But training takes time and money so, seeing the pressing nature of the cybersecurity skills crisis, a number of large companies, including Fortinet, have committed to training new workers for the field.
This is advantageous for the company itself, as a cybersecurity vendor, but as with the other companies pledging training support, the offer’s benefits will extend well beyond the individual companies to serve other businesses needing such staff.
Speaking Of Speed
Returning to the issue of speed in the cybersecurity industry, one of the problems arising from current staffing shortages is the fact that, without enough professionals, issues with software and code aren’t uncovered and resolved quickly enough.
That leads to more zero-day attacks, as hackers and other cybercriminals breach platforms before cybersecurity teams even have a chance to address them. Delayed patching is a big enough problem, but an easily automated one. If businesses haven’t identified the problem, resolving it before an attack isn’t even an option.
No matter how businesses approach training and recruiting new cybersecurity professionals, the existing problems in the field – failures in automation development and security theory, among others – are really just the tip of the iceberg.
That’s because, as technology use expands and the tools themselves become more complex, security challenges are growing in parallel. Worst of all, in light of the skills gap, too many programs have been launched without proper security considerations. As such, new cybersecurity professionals are stepping into a field overrun with issues, and it’s nearly impossible to catch up. The scope of the crisis requires multiple solutions at once, but those who understand the industry need to start somewhere, and once there are more staff, there’s really no wrong choice.
Industry-Wide, And Individualized
When we talk about closing the cybersecurity skills gap, the statement really speaks to two different problems. Not only are there not enough cybersecurity professionals overall, but individual businesses don’t have enough staff, so it’s a problem that needs to be solved at both levels. Training more cybersecurity professionals won’t necessarily help staff individual companies, which means that everyone concerned about the industry needs to invest in development.
Cybersecurity will always be in a race with cybercrime, but there’s no reason for the professionals to be so far behind those who seek to sow chaos. With more staff, we can close the gap between the two parties, but it’s not a problem that can be solved overnight. It took years to create this crisis, and it will take years to climb out of it – and only with concerted effort.