The world is facing a shortage of cybersecurity professionals. This comes at a time when cybersecurity attacks on digital infrastructure are increasing at an alarming rate. The Covid-19 pandemic ushered in extensive industry-wide disruptions as organizations shifted to digital platforms. They increasingly revamped their modes of working and tech-enabled digital realignment of their core company operations.
Vishal Salvi is Chief Information Security Officer & Head of Cybersecurity Practice at Infosys.
With such a drastic shift towards digitization initiated in such little time, a host of cybersecurity threats popped up and attacks became more frequent. According to the EU Agency for Cybersecurity, the highest ransomware demand shot up from €13 million in 2019 to €62 million in 2021.
However, even as there is a dire need to protect an organization against these attacks, there is not enough workforce to make that happen. According to the 2021 (ISC)² Cybersecurity Workforce Study, there are 2.72 million unfilled cybersecurity positions. The same study reveals that the global cybersecurity workforce needs to grow 65 percent to effectively defend critical assets of organizations.
Organizations need to prep up their cybersecurity defenses, acquire niche skills to work on cutting edge technology, advance skills on cybersecurity tools, industry frameworks, architecture, and benchmarks such as NIST.
However, the truth is that the world has been facing this shortage for at least a decade. There has been ample awareness amongst cybersecurity communities and industry leaders about the changing landscape and the demand for skills. The pandemic has only highlighted the need for more specialized workforce with new age security skills.
How to bridge the cybersecurity skills gap?
1. Identify the skill gap
The first step in solving a problem is to understand it.
Skill gaps are identified by conducting Training Need Analysis (TNA), which can address the role-wise and capability-wise gaps of employees to perform their roles effectively. TNA helps uncover gaps in employee training, learning and development needs. The analysis should consider organizational needs, current competencies, training methods, cost, and effectiveness.
The skill gap isn’t just a shortage of talent, it is a lack of required ability to perform multifaceted cybersecurity work. This can involve collaboration, understanding landscape complexity, applying cybersecurity process, technology, and controls to solve specific cybersecurity problems.
For skill-building, we must understand the knowledge, skills, and abilities (KSA) required for each job and build them out. We must also benchmark ourselves against the work roles defined by the National Initiative for Cybersecurity Education (NICE) for a better understanding of cybersecurity skill specialization.
2. Applying the levers for bridging the gap
Several levers can be applied to bridge the cybersecurity skills gap.
a. Catch them young and train them
A report that included a survey of young consumers aged 16-25 found that one in four consider a career in cybersecurity because it is a good use of their talent. However, many are tempted to use their skills for developing cyberattacks than preventing them. Therefore, it is critical to create specialization and talent attraction policies to get the brightest talent from campuses. As can institutionalizing, evangelization, and creating awareness sessions on cybersecurity in universities. Introducing an industry-aligned syllabus can help companies scale up. Deploying hackathons to recruit talent who can investigate, defend, and operate complex cybersecurity issues and build platforms with new age technologies is a great option to consider.
b. Refactoring existing IT employees
Refactoring for cybersecurity requires strategy. Not everyone can be refactored; only those with cybersecurity-adjacent skills can qualify. Think professionals with a background in networking, UNIX, Python, Java, or data science.
Keeping employees abreast of the latest threat intelligence and attack methods can mitigate the anxiety caused by cybersecurity uncertainty. It will improve the skills of the existing employees - upskilling to stay relevant and reskilling to stay competitive. Towards that, Infosys has partnered with Purdue University to provide intensive cybersecurity training for thousands of its employees.
c. Build sophisticated solutions to reduce skill dependency, to begin with
Bridging the skill gap doesn’t always mean building skills among people. You could also build a set of sophisticated automation tools that can take most of the system management burden off a security engineer’s shoulder.
This is the Zero-touch approach, one that empowers IT teams to deploy network devices at scale while eliminating most of the manual labor and reducing skill dependency. Implementing Zero Trust in cloud/edge help to manage critical assets, reduce the attack surface area, and provide pervasive visibility without much manual effort.
3. Engage with gig workers
Gig workers are taking centerstage. These could be hackers or just cybersecurity enthusiasts who may not have the necessary degrees. Recruiting them through gaming and simulation-based recruitment processes can serve to bridge the cybersecurity skills gap.
As we tackle different and complex cybersecurity threats, it is important to have teams capable of driving innovation. Teams with high levels of diversity are more creative than those with little or no diversity. Currently, women comprise just 25 percent of the cybersecurity workforce. Investing in diversity isn’t just good social behavior but also good business sense.
In the long run, introducing cybersecurity training in early STEM education can ensure students are market-ready when they graduate. Corporates have to create an environment to retain, train, and provide compelling career growth options for younger professionals.
Ultimately, organizations must acknowledge that cybersecurity can never attain a state of equilibrium; it is a continuous process. Just as scientists must always be prepared for every new Covid-19 variant, organizations must also be ready to take on the next cyberattack. To achieve this, organizational goals, training, and competency budgets must be aligned.
