This is a summary of an article written for Forbes. The entire article can be found here.
According to the 2019 Cybersecurity Workforce Study conducted by (ISC)², over 4 million new cybersecurity workers are currently needed to meet global demand. And forecasters predict that this gap will only continue to widen—and just as the cyber threat landscape grows more complex. While the cybersecurity industry grapples with a growing shortage of skilled professionals, FortiGuard Labs monitors one-hundred billion cyberattacks and at least two million attempted virus penetrations per day.
With such a large number of cyber threats to deal with, targeting every inch of the network’s potential attack surface, strained security teams can feel overwhelmed. Sandra Wheatley, Fortinet’s SVP of Customer Marketing, Threat Intelligence, and Influencer Communications, explained the challenge to Forbes: “The cybersecurity skills gap is one of the biggest challenges for security organizations. It’s not unusual for organizations to have up to 30 different security vendors on their networks. That’s really hard to manage. You need to bring on more people or focus more on technology and automation.”
But bringing more people on board is increasingly difficult to do.
Cybersecurity now requires a highly refined skillset. Cybercriminals are employing sophisticated technologies (including AI and ML) to launch billions of attacks a day. And while many are “spray and pray” tactics, we are also seeing an increase in custom, targeted attacks. Security professionals need to have a firm grasp on the ‘how’ and ‘how often’ behind each attack to successfully defend their networks and data. Today, rather than fending off a single attack launched by a single threat actor, security teams may be dealing with dozens of cyber criminals all launching the same attack at the same time. And worse, those attacks are augmented with offensive automation. An effective response is a matter of machine - rather than human - speed.
This is why AI and ML are increasingly valuable tools on the defensive front. But they need to be coupled with trained professionals. Fortinet's Derek Manky, also featured in the Forbes article, shares that: “AI and automation are tools to replace the day-to-day tasks – but we still need the humans [because] today’s attack surface has created a substantial need for specialized talent. It’s very important that there’s a blended approach among CISOs.”
The question is how to fill that growing cybersecurity gap in an organization. Here are three key suggestions for CISOs looking for new ways to bring in additional cybersecurity talent:
The cybersecurity gap is, in part, a self-perpetuating problem. Employees burn out quickly when their teams aren’t adequately staffed. In addition, because they are in high demand, security professionals frequently jump from one role or team to another as competing organizations present better offers in terms of compensation or benefits.
“We’re often fishing from the same pond. If you have a talented analyst in one organization and, let’s say, law enforcement hires away that resource—okay, now you have someone to help prosecute a crime, but you’ve opened up a new gap on the defense side,” says Manky.
Manky and Wheatley both recommend strengthening public-private sector relationships to help alleviate this problem. Partnering with nonprofits and academia, such as through Fortinet’s Security Academy Program, collaborating globally across sectors, and forming partnerships with other organizations championing cybersecurity is perhaps one of the most successful ways to ideate scalable solutions to the skills gap.
One unexpected benefit of the COVID-19 crisis is the increased opportunity for at-home, self-guided education. With most businesses operating remotely, many employees now have found more uninterrupted spare time, and organizations should encourage those employees to sharpen their cybersecurity skills. A recent Fortinet survey found that 85% of security team members across North America hold security certifications. 94% of security professionals believe their certifications have better prepared them for their current jobs. And 82% of organizations prefer to hire candidates who have certifications. So providing individuals with additional opportunities to gain new security skills and certifications not only increases the available skillset within the organization, it also engenders loyalty among team members.
As Wheatley explained to Forbes, “[When COVID-19 hit], we announced that all of our self-paced cybersecurity training courses would be available for free to everyone until the end of the year.” Fortinet immediately saw a dramatic increase in individuals registering for and taking this training. And now, over six months later, Fortinet continues to see increasing demand for its NSE Training Institute courses and certifications.
Hiring managers should not only consider but prioritize candidates who have traditionally been underrepresented in the space. Veterans, for example, tend to be excellent candidates. “Veterans come out of the [armed] forces with a lot of the skill sets that go well with cybersecurity. They work great under stress and pressure, and they have situational awareness and [experience with] analytics,” Wheatley notes.
The industry should also focus on increasing opportunities for women, who currently represent only about 14% of the cybersecurity workforce. Organizations must work incessantly to remove stereotypes and encourage a new image of the modern cybersecurity professional.
Finally, both Manky and Wheatley suggest that organizations remain open-minded to remote work even as the pandemic dissipates. Many threat-hunter, data science, and intelligence operations roles are perfectly suited to remote work. And increasing the geographic radius of a candidate pool means hiring managers can select from a broader range of qualified applicants.
The cybersecurity skills gap challenge won’t be easy to solve. And our current global health crisis certainly isn’t helping matters. The rapid transition to telework opened up even more vulnerabilities across insufficiently secured home networks and novice remote workers have been persistently targeted by cybercriminals.
Manky closes out his conversation with Forbes with a warning: “Cybercriminals enjoy a lot of leisure because we lack professionals right now. We really need to close that gap.” Unlike the cybercriminal community, organizations already wrestling with business continuity in a time of economic uncertainty don’t have time to waste. Hopefully, by investing in learning and upskilling opportunities, considering a wider pool of candidates, and strengthening partnerships across the public and private sectors, cybersecurity leaders will be able to make strides towards filling the gap and getting back to the business of running their business.