If your organization is grappling with a tight cybersecurity talent pool, you’re not alone. According to Gartner, 61% of organizations struggle to hire security professionals. It’s a problem that’s only going to get worse. The Harvard Business Review predicts that, by 2020, there will be more than 1.5 million unfilled cyber positions worldwide.
It couldn’t come at a worse time.
The advent of 5G and the explosion of the Internet of Things (IoT) is expected to add 20.4 billion connected devices to global networks by next year alone. A hacker’s favorite target, these devices pose an often-overlooked security risk.
Consider the energy sector, a major bull's eye for cyber hackers. A study by IBM and Oxford Economics found that energy and utilities companies invest 7% of their IT budgets in deploying and maintaining IoT technology, yet spend only 1% of that budget on securing them.
IoT isn’t the only risk factor. The report also found that few companies have the knowledge or resources to take proper precautions or keep pace with digital transformation.
A new mindset is needed
While colleges and universities are responding to the demand for cyber skills by offering undergraduate cybersecurity programs, addressing the skills shortage is a complex and multifaceted issue—one that can’t be solved in the classroom alone.
Speaking at the recent Gartner Security and Risk Management Summit, Sam Olyaei, director of the analyst group’s security and risk management team, suggested that the real challenge lies in how security leaders are addressing the issue. "The problem is really our mindset has to be shifted away from thinking about open roles that can be hired out in the market to actually optimizing the security function in ways that can actually help you procure the competencies we need.”
Companies are putting too much weight on certifications, continued Olyaei, or don’t know what security skills they need. There’s also a lack of standardization around job titles, what they mean, and an absence of clear career paths for security professionals. These factors can be remedied, suggests Olyaei, by standardizing titling in security roles according to NIST’s cybersecurity workforce framework and using enticing job titles and descriptions that attract candidates by stressing growth opportunities and flexibility.
Automate security so employees can build new skills
In addition to Olyaei’s recommendations, Gartner’s Beth Schumaecker urged security professionals in growth industries to implement an adaptive automation strategy that allows them to better utilize the skills and people they have. Repetitive operations tasks such as continuous cybersecurity monitoring functions, for example, are prime targets for automation, freeing teams to focus on more strategic work.
Automation can also help free up employees to learn new skills that are critical to keeping your business protected. Today, cyberattacks touch every corner of the organization and security leaders are increasingly being asked to assume the role of security champion and digital risk officer. To be successful in this role, they must break down the silos between the Security Operations Center (SOC) and the boardroom. This requires a new set of “soft”, non-technical competencies, such as the ability to communicate clearly and succinctly, business acumen, and an understanding of corporate goals. Each of these hold the keys to better aligning security practices with the wider objectives of your organization.
Cyber gap closed, talent pool opened
By shifting your organization’s mindset about the ways in which your security function can be optimized and mapping that back to your workforce strategy, you’ll be able to close the cybersecurity skills gap and open the doors to a wider and more diverse talent pool. Going the extra mile and supporting this talent with automated cybersecurity practices will help you establish a sound security posture that requires less manual labor. Then, security professionals can put their focus where it counts: proactively safeguarding your business against whatever might be coming next.
