At this point, it’s no secret that there is currently a shortage of cybersecurity skills and tech talent throughout the workforce in America. But what many may not realize is exactly how dangerous this gap is becoming and how much bigger it seems to be getting. According to a recent article published by Fast Company, globally, the number of vacant security jobs exceeds 1 million and the majority of industry experts agree that the sector is generally understaffed and unprepared.
The lack of information security skills isn’t just a problem for businesses and hiring managers. It is, or at least should be, a concern of just about everyone. Speaking to the source, ISACA Cybersecurity Advisory Council President Eddie Schwartz called the talent gap “absolutely dire,” pointing to both companies and educators emphasizing basic security training that has more to do with business compliance regulations than sophisticated cybersecurity software and hacker techniques. The issue is also fueled by problems with cybersecurity education, or lack thereof. The IT students who study information security or software engineering aren’t necessarily provided the proper training or career guidance that makes it easy to enter this workforce immediately after graduating.
“The way to be able to identify mistakes is to know where one would make them oneself,” Mike Weber, vice president of security business Coalfire, explained to Fast Company. “It’s really a role of reverse-engineering, and in order to be able to reverse-engineer something, you need to be able to forward-engineer it.”
To defend against hackers, IT professionals need to be trained in their techniques.
This is why, to bridge the security skills gap, a growing number of organizations and institutions of education are developing training programs that focus on white-hat hacking. Some of these processes revolve around giving participants hands-on learning experiences that go beyond the standard instructional design, such as conducting penetration testing in labs.
Training talent for better threat intelligence
Still, there is a lag in how many security professionals are available to fill the positions rapidly opening up, forcing businesses to seek alternative solutions to enhance cybersecurity. When recruiting information security specialists to join in-house tech teams is not an option, one strategy is to outsource IT operations to third-party providers. Another is to provide existing staff with cybersecurity training. The latter offers companies a way to make long-term investments that benefit both the business as a whole and the individual employees. By expanding the skill set and capabilities of their already loyal and dedicated IT teams, employers are able to exercise greater control over information security initiatives.
“The shortage of cybersecurity skills is not an excuse to prioritize processes over people.”
Granted, at this point, every business leader should be implementing cybersecurity awareness training throughout all levels of the organization. As hackers become alarmingly sophisticated in their tactics, cyber threats are quickly accumulating. Internal users are some of the biggest security risks, with criminals continuing to use email and even smartphones as attack vectors. But this is especially crucial for company executives to do if they do not currently possess the in-house talent needed to ensure the highest level of computer protection and critical IT infrastructure safety.
In an article for CIO, contributor and IT consultant Mark Edmead pointed out that, too often, organizations today are using a patchwork approach to cybersecurity, assuming that randomly investing in digital tools and technology will be enough to adequately defend their systems and guarantee cyber safety. However, this is not a long-term, sustainable or wise strategy because, as former AIG Vice President and Global Information Security Officer Aiman Khalil told the source, these solutions tend to “overpromise and underdeliver.”
“It is no longer sufficient to deploy the best firewalls and roll out the top antivirus and hope for the best,” Khalil explained to CIO. “Technology is only a piece of the puzzle that must be coupled with a comprehensive risk-management strategy, strong processes and well-trained staff and workforce to achieve an acceptable security posture.”
Investing in people
The well-known shortage of information security skills should not be used as an excuse for businesses and corporate executives to prioritize processes over people. Rather, it should act as a reason to drive improvements in cybersecurity training and increase IT development efforts.
At the National Cybersecurity Institute, we make it easy for organizations to do this. Choose from one of our many cybersecurity specialty courses, such as Cybersecurity for Small Business and Non-Profits, that can help professionals better understand the ins and outs of information security, including how to identify major threats and develop cybersecurity policies, procedures and audits for the organization.