By Brent Gallo
If you are a business owner, company executive, or human resources person trying to hire cybersecurity professionals, then you are likely affected by the ‘cybersecurity skills gap’. According to CyberSeek, there are approximately 600,000 cybersecurity jobs currently open in the United States.
This shortage of skilled cybersecurity professionals has made businesses more vulnerable to cyberattacks and continues to fuel burnout among existing personnel. On top of that, malicious hackers have become more sophisticated by adopting corporate business principles into their attack execution. This enables them to attack and take down both large and small organizations more efficiently, making the skills gap a significant problem.
Growth in the Industry
Although we’re seeing significant growth in the education, upskilling, and transitioning to the cybersecurity industry, we’re still struggling to close the skills gap. Approximately 260,000 entered the workforce between 2020 and 2021 according to the report, “2021 Cybersecurity Workforce Study.” This doesn’t even account for half of the current job openings in the industry.
The need for cybersecurity professionals to enter the workforce is expanding as businesses continue to grow and depend on technology for their daily operations. Some estimate the skills gap will widen to 2.5 million globally by 2025, according to Cybersecurity Ventures. With the increase in numbers of people entering the workforce each year, one might think we should be able to close the gap. Unfortunately, that hasn’t been the case. It begs the question, why do so many of these jobs remain unfilled? Is the problem truly skills-related?
The Debate
Because of these numbers, industry debates have ensued and the skills gap issue has turned into a bit of a myth.
I personally have seen people online post how they have tried and tried again to get a job in cybersecurity and have failed. These people have credentials and experience, though they are often told they do not have the exact expertise many hiring managers are looking for. Yet, if there is a such a significant shortage, why are these people not getting hired none the less?
I understand that every candidate is different and may not be the right personal fit for a company, but if the workforce is short by 600,000 personnel, then organizations may need any help they can get. And frankly, every company could use someone with cybersecurity expertise on their team.
So, is there really a skills gap? And if not, what is the real problem here? I suggest something altogether different, which includes several different variables to consider:
The Education Gap
I do believe there is a skills gap based on the numbers above, however, there is something else lost in translation for many of these positions. I believe how employers define cybersecurity and its various roles may be to blame – through no fault of their own. Cybersecurity has evolved into a very comprehensive industry that includes a number of unique positions and skills dependent on various specific scopes of work.
As organizations attempt to hire for their unique cybersecurity needs, they are unequipped with the knowledge to identify what positions they need, or the different skills required for each position. Unfortunately, they often end up posting jobs that require a number of skills across different professions within cybersecurity making entry level cybersecurity professionals not ideal for the job.
Because these skills are attributed to different roles in the industry, finding a singular person holding every distinct skill set is extremely difficult because it takes many years of experience and deep technical knowledge to master just one role.
Financial Restraints
Many companies may face financial restraints when trying to find a well-equipped applicant within their budget. Cybersecurity professionals with a multitude of skills are in high demand and will require a higher salary. Most organizations are not prepared to pay the salary required for someone with all of their desired skills, making it near impossible to find the right professional.
Burn Out
A single applicant may find it extremely difficult or even compromising to uphold all the responsibilities that come with this very broad position. This cycle of pressure has also led to a high level of burnout in the cybersecurity industry. This has even compelled some to change career fields entirely and exit out of IT and cybersecurity. Those who have felt this pressure, don’t want to do it again. With too many tasks and not enough support, a single cybersecurity professional usually does not last long. This results in the organization being vulnerable to a cyberattack.
I am glad organizations are starting to take their cybersecurity needs seriously, but we’re continuing to face as much an education gap as a skills gap.
Who’s to Blame?
The blame of not finding the right person for the job often falls onto recruiters and human resources, but it isn’t necessarily their fault. They, as well, aren’t properly equipped with an accurate portrayal of the position. Instead, they are provided the job requirements for a person with an unattainable level of skills and unlikely budget to fill for just one person.
To change the cycle and fix the problem we must start by educating from the top of the chain and work our way down to the recruiters.
Steps to take
How do we improve and overcome an absence of understanding of the cybersecurity profession and the roles they fill at higher organizational levels?
The first step is for companies to self-reflect on an industry that continues to grow, diversify, and specialize. Start by working with recruiters or professionals familiar with the industry – those that are knowledgeable on the key differences between specialists. Moreover, consider increasing the hiring budgets to properly enhance and support a team of professionals to properly maintain company security needs. To improve a company’s cybersecurity efforts, organizations need a team! And to best protect against the threat of a cyberattack, a diverse group of cybersecurity professionals (and skills!) is needed.
Example of the Problem
Below is a of a job posting I recently saw. I actually spoke to the Chief Information Officer (CIO) of a company with about 2,500 employees. The CIO said that they wanted one person to fill the role below. They already had an IT team that had been doing some of the cybersecurity tasks part-time, but now they wanted a full-time person for the job.
As I break down this job posting into specific job roles, you might begin to see why it may not be practical for one person to do this job. This role is actually a combination of several roles with the expectation that this level of technical knowledge and strategic levels of thinking can be completed by a single individual. This is likely not the case. Instead, a team is required in order to do these tasks effectively so that they can proactively address cybersecurity threats.
Following each sentence or task is a number identifier associated with the person who conducts and/or contributes to the desired skill. Also, readers may notice multiple people may contribute to completing one task, but this does not mean that one person could do the job alone. Different levels of technical analysis and critical thinking are needed to address some tasks.
Legend
There are many different cybersecurity roles in the industry. This is not a full listing and more roles could be added. This job listing requires skills specific to six unique cybersecurity professions listed as follows:
1- Cybersecurity Analyst/Incident Responder – Responsible for analyzing and identifying potential security incidents and escalating them appropriately.
2- Network Security Engineer/Network Administrator – Responsible for administering switches, routers, servers, and other devices. Configure and implement a secure network. Adding Cloud specific roles here too.
3- Penetration Tester – Responsible for testing network defenses and making recommendations to better secure the network.
4- Information Systems Security Officer (ISSO) – Responsible for developing and maintaining security plans.
5- Security Control Assessor (SCA) – Responsible for auditing and testing security controls in place.
6- Chief Information Security Officer (CISO) – Responsible for enabling the security team, developing cybersecurity related policy, defending business operations, and informing the business of cybersecurity risks.
Identifiers – 1,2,3,4,5,6
Additional comments in (RED).
Job description
“The Sr. Cyber Security Analyst will be responsible for identifying, analyzing, and influencing the management of information risks across the organization, as well as ensuring the implementation and compliance with all IT controls. - 1,2,3,4,5,6
The incumbent will help develop, implement, and maintain a strong and effective Cyber Security program. - 1,2,3,4,5,6
This role will be responsible for following the technology trends regarding cyber security and recommending necessary changes to the companies' cyber security environment. - 3,4,5,6
The incumbent will monitor and respond to cyber threats and make recommendations as to mitigation or remediation of such threats. - 1,2,6
This role will not only serve as an advisor on all cyber security matters, but also be hands on with implementing suggested changes into the environment. - 2,4,5
As such, the ideal candidate will have extensive experience in handling network administration and system administration tasks in a windows environment. - 2
Hands on implementation skills will be critical to the success of this position. - 2
COMPETENCIES AND SKILLS:
• Installing and configuring network equipment to update or fix hardware/software issues - 2
• Updating definition files and pushing those to all devices across the company - 2
• 5+ years of experience in Network and Systems management as it relates to cyber security and risk mitigation. - 2,6
• Detailed understanding of PCI environment and ability to implement security suggestions based on PCI - 1,2,3,4,5,6
• Detailed knowledge of windows Azure security, AWS or other cloud platforms. - 2,6
• Knowledge of cloud security environment with and without SSO - 2,6
• Experience handling different tools such as CloudFlare, working with vendors such as Red Canary etc. - 1
• Knowledge of Incident management and Incident response. - 1,2,4,6
• Experience in providing training to internal users (both IT and non-IT), conducting simulations, lunch & learns to educate the team members on cyber security. - 6
• Knowledge of different environments: Cisco, Juniper, Palo Alto and other leading network gear - 2
• System administration - Windows Server 2012-2019; VMWare; AIX - 2
• Detailed network security skills in the Cisco Catalyst, Cisco Nexus, Brocade platforms - 2
• Advanced problem solving - Able to dive into an issue, discover the root cause, understand why it happened, and prevent it from happening again - 1,2,3,4,5,6
• Strong ability to understand the overall cyber security landscape, relate those needs to our current IT landscape and suggest a roadmap to achieving the same - 4,5,6
• Must have the ability to build a plan and also implement the plan in coordination with the IT Infrastructure team - 2,6
• Must have knowledge of important cyber security frameworks such as PCI, HIPAA, ISO:27001, CIS-Top18 and controls/frameworks - 4,5,6
• Detail oriented approach - Understanding how the system works and knowing which tool to use; being able to repeat a process and explain that process to management – 1,2
• Self-motivated - Take on the next task or issue without being told to; must be self-sufficient 1,2,3,4,5,6
• Information security policy maintenance - Create, update, and delete policies and procedures as new and old developments arise - 4,5,6
• Firewall administration - Palo Alto – 1,2
• Security tool administration - Splunk, Carbon Black, Elk Stack, etc. - 1,2
• Network protocol knowledge - RDP, SSH, TCP, FTP, SFTP, ACLs, etc. 1,2,3,4,5,6
ESSENTIAL DUTIES AND RESPONSIBILITIES:
• Safeguard system assets by identifying and solving potential and actual security problems - 1,2,3,4,5,6
• Protect systems by defining access privileges, control structures, and resources - 1,2,6
• Recognize problems by identifying abnormalities and reporting violations - 1
• Implement security improvements by assessing current posture and evaluating new risk trends - 2,4,5,6
• Conduct periodic audits and pen tests - 3,4,5,6
• Maintain technical knowledge through research, publications, and classes (All Roles if you have time. You probably will not if you are working six roles at once.)
• Maintain security and software updates/patches - 1
• Triage, respond, and find root cause to security related incidents - 2,6
• Effectively communicate with upper management - 3,4,5,6
• Educate business by holding learning sessions and performing phishing campaigns – 3,6
• Other duties as assigned ‘” 1,2,3,4,5,6
As you can see, this singular job requires several types cybersecurity professional to do. No one person can do this single role effectively.
Analyze Your Risk
To begin solving this issue organizations must first look within themselves and determine how their business and cybersecurity priorities align. Does the organization have a low, moderate, or high appetite for risk? Organizations should ask themselves if information was compromised, what would be the resulting damages? Some examples of damages could be financial loses, loss of reputation, loss of trade secrets, and others.
See the definitions here.
Risk Appetite Definitions
Low
A compromise would be limited and generally acceptable for the organization, resulting in minimal monetary, productivity, or reputational losses. There would be only minimal impact on normal operations and/or business activity.
Moderate
A compromise would be marginally acceptable for the organization, resulting in certain monetary, productivity, or reputational losses. Normal operations/or business activity would
be noticeably impaired including the potential for breaches of contractual obligations.
High
A compromise would be unacceptable for the organization, resulting in significant monetary, productivity, or reputational losses. The ability to continue normal operations and/or business activity would be greatly impaired, potentially resulting in noncompliance with legal or regularity requirements and/or loss of public confidence in the organization.
Defining the Roles and Tasks
Now that the risk appetite of the organization has been determined, they need to work with a cybersecurity firm or recruiting agency to figure out who will be needed to meet their security goals. Furthermore, the specific skills and desired tasks can also be shaped.
Now that the previous step has taken place, the organization can justify hiring the right people they need to defend the organization from cyberattacks and begin allocating budget to the need.
The Human Resources department can now successfully hire more people for all of the desired skillsets and tasks the organization needs to defend the network.
Invest Now or Pay Later
Now I know what some readers may be thinking. There may not be a budget for a team of cybersecurity personal. Even after the need for them has been identified and justified, it’s just not there. Company budgets are often tight for IT and cybersecurity, but it is time for companies to understand the need to fund these departments appropriately.
It’s not a matter of if an organization will be attacked, but when. Just between 2020 and 2021 there was a 31% increase in cyberattacks according to Accenture’s State Of Cybersecurity 2021 report.
Organizations know that they greatly depend on technology for their daily operations. Now is the time to protect technology.
When technology goes down, most businesses scramble to get back up and running and within that timespan they have lost thousands of dollars in sales, working hours etc. This exemplifies why it is imperative that organizations protect their technology and business operations by investing in the cybersecurity staff they need.
Did you know that the average ransomware attack takes on average 21 days to resolve? Imagine not being able to conduct business for three weeks. Most companies could not survive that kind of blow.
Now is the time to give organizations a fighting chance by investing in cybersecurity personnel. Make the organization a hard target, like a fortified castle. Make it so attackers do not find any vulnerabilities and get frustrated because they are not making any progress and move onto someone else.
Hire Entry Level
To help overcome the skills gap, organizations must also hire entry level cybersecurity professionals. Not only can these individuals better fit budgetary needs, but they can adapt and grow with the company to improve their company’s cybersecurity. Entry level professionals can become masters of their cybersecurity domain. Enabling them to do their job effectively and make a considerable contribution toward protecting the organization. Convert them into the specialists you need.
Entry level personal will also be more affordable for organizations with younger cybersecurity programs, allowing an organization to budget and grow their cybersecurity program overtime.
Separate the IT and Cybersecurity Departments
Lastly, just a final thought from your friendly Cybersecurity Pro: separate the IT team from the cybersecurity team. The IT professionals focus on how to keep the network up and running. Cybersecurity professionals work to protect the organization as best as possible. Organizations need both departments because there are often competing priorities. If there is only an IT department, the IT priorities will always win and cybersecurity will get put on the backburner, and vice versa. These two teams together can balance business priorities, cybersecurity risk, and maintain a functioning enterprise that will be resilient for years to come.
What you can do
If an organization does not take these steps, to prioritize cybersecurity, or does not have the funding for a cybersecurity team, they may consider outsourcing their cybersecurity needs to a cybersecurity firm or managed service provider equipped to assist them. Working with a cybersecurity consulting firm or managed service provider can provide flexibility without sacrificing protection.
Let someone who is passionate about cybersecurity protect the organization like those at Hire A Cyber Pro. Organizations can also choose to work with Hire A Cyber Pro to help with cybersecurity workforce planning and recruiting needs. We are cybersecurity experts committed to protecting your business.
The Author
Brent Gallo
M.S. Cybersecurity, Certified Information Systems Security Professional
Brent Gallo is a Cybersecurity Consultant and founder of the cybersecurity company Hire A Cyber Pro. Brent specializes in helping executives, business owners, and IT teams identify and reduce their cybersecurity risk. Brent became passionate about cybersecurity during his service in the United States Air Force where he worked alongside the National Security Agency meeting national security priorities. Brent now serves his local community by helping businesses protect what they have worked so hard for.
Check out our website: https://www.hireacyberpro.com/
Add Brent Gallo on LinkedIn at https://www.linkedin.com/in/brent-gallo-38a89266/
Email Brent at brentgallo@hireacyberpro.com