The overwhelming consensus: There’s a cybersecurity skills shortage. Some surveys have identified the cybersecurity skills gap in slightly more than half of surveyed companies, while other studies calculated the deficit higher and more dire, with those lacking cybersecurity expertise registering in the high-sixties or seventies percentile.
Why is this important? In a survey, ESG found the biggest contributors to security incidents were:
- Plug-and-click-don’t-think human errors
- A lack of cyber risk understanding
- Cloud, mobile and software-as-a-service (SaaS) adoption without the proper security controls
- A lack of organization-wide cybersecurity training – including against social engineering ploys utilizing increasingly deceptive phishing, spoofing and ransomware tactics that steal money and data
- The IT security staff’s inability to keep up with workload, including important patches and security awareness. (Read the white paper.)
When understaffed and undefended by the latest cyber protection, your entire organization, particularly its end users, become low-hanging fruit for infection and the latest, nastiest malware that wants to spread. Cases of cities, hospitals, and large retail companies being hacked, and, in some cases, held for ransom via captured control of their data, bring to mind the need not only for effective reactions to a digital attack but more proactive protections. It’s not just big businesses and well-known brands getting hit. It’s a financial data game, and small and midsize businesses are in the crosshairs of both widely distributed and targeted attacks.
The cybersecurity skills gaps is acknowledged inside and out. 94 percent of cybersecurity professionals in an ISSA and ESG study said they believe the advantage has tilted to cyber-adversaries over cyber-defenders.
Cybersecurity Gaps: Do You Hire, Widen the Search, Train, Infuse?
You can keep recruiting during a cybersecurity talent shortage in which revolving-door turnover is high, or you can turn to managed service providers (MSPs) and managed security service providers (MSSPs) equipped with smart cloud security-as-a-service.
During a talent shortage, the human-resource search extends outside the organization and outside a core curriculum, analogous to the way R.A.D.A.R. pioneers over time developed and honed futuristic radar technology applications by leveraging cross-disciplinary expertise across physics, navigation, engineering, electronics, meteorology and mathematics. In addition to ethical hackers, future cybersecurity expertise might come from people who are app developers, behavioral economists, and even musicians, who could possess applicable skills and organizational mindsets.
Then, in consultant-orchestrated central information security thinktanks, organizations can determine ways to chip away at the cybersecurity skills deficit, while existing network and IT staff can gain visibility and control over network blind spots. As your organization improves its security posture through a cybersecurity service partner, it might train and promote from within, while IT security learning through osmosis occurs.
How much can a CISO consultant, aka virtual CISO (vCISO), save an organization? If hired full-time, CISO base salaries range from the low USD 100ks to high 200ks. Gartner reported a higher-end salary average of $270k per year. The consultant model can be a more flexible model for midsize enterprises to harness: you can contract a CISO when needed (i.e., project basis or at healthy regular intervals) versus having to pay full-time salary and benefits, which most small and midsize businesses say they just can’t afford.
Not only will the right consultancy help a funds-limited organization tighten network security processes so time and money isn’t wasted, but it will teach your staff about ways to automate human-error-prone processes which no one wants to do or manage anyway.
The team dynamic builds bench strength within the security-conscious organization and among MSPs, themselves, who gain deeper knowledge about specific enterprise security scenarios and defense strategies.
Why Bother Building ‘Bench Strength’ During a Cybersecurity Talent War?
Put simply, bench strength is the amount and quality of personnel ready to step into vacant positions. It’s easy to visualize an athletic coach, a manager or executive looking down both sides of the bench and trying to identify someone ready to fill a position after a starting player is no longer available.
But bench strength is a two-sided coin, not just from the coach’s or organization’s perspective. It should be seen from the perspective of well-rounded IT and network personnel who regularly have to step into cybersecurity duties and may eventually be qualified and willing to occupy a more-full-time IT security role in your organization or another. But in too many small-to-midsize businesses, these individuals are already saddled with too many hats to become advanced security experts and keep up with the latest threats. With consultant help and security orchestration best practices, your organization can secure daily operations, while nurturing people toward cybersecurity career opportunities within the company.
So, the coach or manager glances down the bench, left and then right, searching for assistance (a difference-making role player) as the outcome begins to turn in an adversary’s favor. Can a consultant team leader help network and IT personnel reinvent themselves and assemble into an effective virtual CISO (vCISO) team, and can future leaders be identified in a person or “by committee”?
Cybersecurity Help From the Cloud
The cloud managed service provider model offers budget- and-time-strapped organizations affordable advanced security through security-as-a-service. Keeping up with security updates, patches and equipment investment and maintenance isn’t the fun part of the job for many busy network and IT individuals. They wear a lot of hats and software patches and license management can get in the way of working to bring strategic value to the business. Get these people ‘wearing too many hats’ some help from cybersecurity experts and the automation of mundane processes from OPAQ and its managed service partners.
Read the cybersecurity skills shortage white paper