A huge Cyber problem that is confounding Corporate America (and companies worldwide) is the lack of a solid Cybersecurity workforce. While there are skilled workers out there, there aren’t enough of them to meet the demand. IT Security teams are now being stretched to well beyond their breaking points, and the burnout rate has probably reached its highest level ever.
Consider some of these key findings* which further illustrate the severity of this shortage:
- Worldwide, there are over 4.07 million Cybersecurity jobs to be filled.
- 561,000 jobs in the United States remain unfilled.
- There are 2.6 million jobs that remain unfilled in the APAC region.
- The European Union has reported a complete, 100% deficit in their Cybersecurity workforce.
- 65% of businesses worldwide have reported that they don’t have enough qualified Cybersecurity workers.
- There must be at least 145% growth rate in hiring to meet the global shortage, at least minimally.
- 51% of companies report that they are at risk of a major Cyber attack, specifically due to the shortage of Cybersecurity workers.
*“Cybersecurity Skills Shortage Tops Four Million,” Info Security Magazine
What can be done to resolve this problem? This is the focal point of this article.
What Is the Solution?
Hire young college graduates: At least here in Corporate America, the trend is to hire only the seasoned Cybersecurity professional. The primary reason for this is that companies want only individuals with deep levels of experience to protect their digital assets. To a certain degree, this is understandable. But keep in mind, this is a double-edged sword. For example, if only the seasoned professionals are entrusted to safeguard the crown jewels of a business, you will still experience a shortage of workers. The reason for this is that if you only want the “best of the best”, you are going to have to offer a very lucrative compensation and benefits package. This can, of course, take a hit on the bottom line, especially during the rough times like the COVID-19 pandemic. Because of this, your seasoned and most entrusted workers will burn out very quickly, quit, look for another job, or even start their own business. In the end, there is nothing to be gained. So, you need to take that chance and hire much younger workers who will most likely be fresh of out college or some kind of certification program. In this regard, it is important to think about the long-term effects. If you do hire a college graduate, and train them to protect your mission critical information and data, the chances are greater that they will feel a stronger sense of loyalty, and perhaps even be your employee for a very long time.
Hire outsourced talent: In today’s gig economy, there are many Cybersecurity workers available on a contract basis. A typical example of this is the virtual Chief Information Security Officer (vCISO). This is where you hire an experienced, third party individual to literally be your virtual CISO for a fixed term contract. The primary benefit of this is that you do not have to pay an exorbitant salary or benefits package; you just pay a flat fee, which is typically around a few thousand dollars. These individuals will offer candid, neutral, and unbiased advice as to how your company needs to better fortify their lines of defenses. They are also likely have other contacts that help to further augment your existing IT Security staff, especially in the way of conducting Penetration Testing and Threat Hunting exercises, and providing security training for your other, non-IT employees. Although it would be nice to have a permanent, full-time staff that you can always count on, hiring contractors is also a great way to go, especially if you don’t have the budget for a full-time team. For example, with outsourced employees, you can quickly ramp up or ramp down your staffing needs, especially if you are a small or mid-size business. But there is one especially important thing to keep in mind: If you are looking at hiring contractors, you must make sure that they are vetted as fully as possible. There are two reasons for this: 1) You are entrusting them to the databases where the Personal Identifiable Information (PII) of your customers are stored; and 2) If one of these contractors makes a mistake which leads to a security breach, they will not be liable for it, you will be.
Make use of Automated Tools: Another factor that is stretching IT Security teams to their limits is that, on a daily basis, they are being bombarded with tons of alerts and warning messages from all of the security tools/technologies they have deployed. At the present time, most businesses in Corporate America must triage all these alerts and warnings manually, which can take hours, if not days. Because of this, the alerts/warnings that are legitimate very often fall through the cracks, thus exposing the business to an even greater risk of becoming a victim of a large scale Cyber attack. In this regard, you should seriously consider making use of Artificial Intelligence (AI), especially in the way of Neural Networks. This allows you to quickly and seamlessly automate the process of filtering out and discarding the false positives, and only presenting those alerts/warnings which appear to be legitimate. AI-based solutions are very affordable these days, and many of them come as hosted offerings via the Cloud. This makes it fairly easy to deploy them. But best of all, they are also scalable to fit your needs. The bottom line is that your existing IT Security employees will not be so overburdened and will thus be on their A-game when it comes to protecting your business.
Consider hiring those Cyber attackers who have turned over to the “Good Side”: Yes, it is quite possible that, as with Darth Vader in the Return of The Jedi, Cyber attackers can turn over a new leaf and become what are known as “Ethical Hackers.” They often hired for bug bounty programs that are offered by some of the largest IT companies, including the likes of Oracle, Microsoft, Apple, and Google. They are called upon to break the new applications that these companies develop, to discover any unknown vulnerabilities, gaps, weaknesses, backdoors, etc. In return, if an Ethical Hacker finds something and offers a solution to fix it, they are paid a huge (often five- or six-figure) bonus. If you want employees that think exactly like a Cyber attacker does, why not hire actual hackers? To find such individuals, you can reach out to the large IT companies mentioned above and advertise any open Cyber-related positions that you may have. Or, if you have some extra money on hand, you could even deploy your own bug bounty program. And if you are impressed enough with an Ethical Hacker, then you should probably hire him.
Create internships and/or apprenticeship programs: It is especially important to spark a deep level of interest in Cybersecurity when individuals are at a very young age, especially when they are in their teens in junior high or high school. To do this, you can partner with your local college, university, and/or even high school and offer various sorts of internships, apprenticeships, summer camps, etc. to students. If students exceed your expectations, you might even mentor them as they enter college, and continue working with them so that you can hire them as your employees after they graduate. One key thing you should also consider is to offer some sort of financial help for training or taking the actual exam, if they are interested in obtaining a Cybersecurity certification that is relevant to your company.
Conclusions
Filling the Cybersecurity workforce deficit on a macro level will take quite some time to accomplish, but the solutions presented in this article will help you to fill the voids in your own company quickly, easily, and with the right individuals.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.
Visit his website at mltechnologies.io