Every CISO knows that finding skilled security staff these days is not only hard but getting harder. The number of organizations reporting a cybersecurity skills shortage has risen every year from 42% in 2015 to 53% last year. Estimates suggest this will translate into a shortfall of around 2 million unfilled cybersecurity positions in 2019, rising to 3.5 million by 2021.
There’s no shortage of people talking about the problem either, with increasing demands for more cooperation between universities, private organizations and government to boost training opportunities and encourage more diverse applicants into the field. But if your organization is facing a shortage problem today, you can’t wait for a talent pipeline to emerge in 3 or 5 years time. What practical steps can you take now?
1. Lower the Skill Level
It might sound revolutionary, but one obvious way to match the skills that are available to the skills that are required is to lower the skill requirements. How? Look for and invest in tools that provide the functionality you need in a simpler, more intuitive way. In other words, tools that require less specialist human skill because they use machine smarts to automate complex tasks.
Many CISOs today understand the need to move away from ineffective, labor-intensive legacy AV security products. Security leaders in many organizations are reducing hiring problems by moving toward automated endpoint detection and response solutions that use machine learning to process vastly more data than human “agents” can.
Beware though: there are many “next-gen” products on the market, but they are not all created equal. You don’t want a solution that just changes the work your staff have to do, or that makes it harder for them just to stand still instead of moving forward. Look for next-gen AV products like SentinelOne that are manageable by the staff you have now, with the training they have now, and which makes onboarding for new employees straightforward.
At the very minimum, reducing the workload means a single-agent solution that integrates across all your platforms and lets you manage sites from a simple, intuitive console. You want a solution that won’t bury your staff in multiple alerts for each suspected attack—that is just going to make your staff work more, not less—but instead provides a single alert and a contextual attack storyline that can be understood by any competent IT staff without the need for long training courses or specialist, expensive certification.
2. Spread the Load For Your Security Professionals
Imagine if every one of your employees – not just your IT team – were a part-time, volunteer “security officer”. Where would your skills shortage be then? Of course, that’s not going to be a realistic proposition in many cases, but the idea of getting more of your current staff involved goes hand-in-hand with having streamlined security solutions that are easy to learn. Consider rotating staff from other departments into your IT or security teams on a regular basis so that as many employees as possible know the basics of how your security team (and its tools!) function.
Aside from helping you to spot potential talent from unexpected areas of your organization, having transparency into what your Security Operations Center (SOC) or security team does, what it deals with and how it handles it, will increase understanding and vigilance across your business.
3. Raise Awareness About Cyber Attacks
You might not be able to give every member of your staff a taste of “a day in the life of a security engineer”, but for those that you can’t, education is a powerful weapon that will reduce your SOC’s workload. Increase the conversations in your workplace that concern security with more than just occasional “Security awareness” seminars (although don’t forget to run those, too!). Increasing awareness creates more vigilant staff, and more vigilance means less chance of attacks ever getting past your weakest line of defense: the people on your network. That, in turn, will help lessen the burden on your SOC or IT security team.
With phishing and spear-phishing campaigns the primary vector of credential theft, consider running regular phishing awareness and phishing simulation campaigns on your staff to make them aware of just how convincing phishing attacks can be.
On top of that, if you’re not employing some kind of media or device control on your endpoints, raise awareness about the dangers of infected USBs and just how easy it is for employees to unwittingly compromise the firm’s security. You could even consider replicating the famous USB key dropping test carried out at the University of Illinois. Social engineering keys are the easiest to create as they use simple HTML files and phish users for credentials.
The point is try to think creatively about how to engage staff with security issues that intersect with their everyday work and practices. Whether it’s the folk in Marketing and Sales, Finance and Accounting, or R&D and Engineering, cybersecurity comes into contact with them all. However you do it, aim to integrate all your staff as “security partners” and avoid isolating your IT team. If your security team is hiding away under the stairs or in a small back office, you’re insulating your staff and the knowledge they hold not just from each other but also from the security issues that face your entire business.
4. Increase Network Visibility
Your cybersecurity skills shortage is related to the complexity of your network. The variety of devices that connect to your network, whether they be running Windows, Linux, or macOS, whether they be Desktop, Notebook, mobile or smart “IoT” devices, the greater the attack surface presented to adversaries, and the more work you have to do to monitor and protect them.
Then there’s the supply chain to consider. How well-protected is the development cycle of your third-party vendors? For those that have access to your network, how well do they protect the keys to your kingdom? It’s a lot of bases to cover, especially if your security team is lean.
The answer to network complexity is network visibility. If you can’t see what devices on your network are doing, you can’t protect your network against them. Automated AI solutions can help bring visibility to your network so that you can see who is traversing it and what they are doing. However, make sure the next-gen AV product you choose has the ability to inspect encrypted traffic, as bad actors are increasingly operating with SSL certificates and communicating via https. This is still a blind spot for many next-gen security products.
5. Plan for Tomorrow
Sure, that talent pipeline may be a few years away, but your organization isn’t going anywhere and neither is the demand for a certain amount of skilled staff. Ensure that you’re building for your cybersecurity needs not only for today but also for tomorrow. You’ll attract better candidates if you can offer an organization that has industry-leading tools and an enlightened, company-wide approach to managing security.
While interviewers like to ask candidates “where do you see yourself in 5 years time?”, it’s a good question to ask the same about your current cybersecurity defenses and strategies. Are they going to keep up with an increase in automated attacks, new devices and new working practices? Will they help simplify the security tasks you have to tackle today and tomorrow, or will they just burden you with an ever-increasing need to hire an army of experts to protect your customers, data and reputation?