While there are undoubtedly many major challenges within the world of cybersecurity, one of the principal roadblocks to the implementation of effective data security is the lack of skilled cybersecurity practitioners. In a November 2019 report, the International Information System Security Certification Consortium, (ISC)² suggested that the cybersecurity workforce needs to increase by 62 percent in the U.S. market alone to close the gap, and that it would take roughly another 4 million security professionals to close the gap globally. The numbers are pretty disconcerting to those of us who work in the security industry, but if this challenge wasn’t enough to solve on its own, over the past year since its outbreak and the beginning of shutdowns, COVID-19 has made it more difficult, throwing new challenges into the mix.
How did we get here?
For a long time, enterprises might have used between three to five data platforms for their entire business. Up until this point, data sources were on-prem. Extending to new databases meant a large investment of both resources and time to integrate them, so data professionals tried to funnel every application into them instead. Overall it worked. With a relatively “simple” data environment, security teams were able to remain lean and use systems-native data logging and monitoring tools to create audit trails for compliance. Everyone was reasonably happy.
In the past ten years, with the explosion of the cloud, enterprises’ data environments have seen a corresponding explosion, rapidly moving from monitoring all workloads and data on perhaps five on-premises sources, to monitoring and securing up to ten or twenty types, on-premises and in the cloud. The proliferation of the cloud has made our data environments exponentially more complex, by offering companies the ability to integrate any cloud source almost immediately, and the task of securing them has grown exponentially more difficult as a result. Each new cloud data source has its own API and unique systems. To effectively secure them, companies must have someone on the team that understands each system. But while the data environments of today are sophisticated and larger, often the security teams responsible for them haven’t grown in parallel.
The implications of the Coronavirus on cybersecurity labor
With the skills shortage already a growing issue in the best of times, COVID-19 has, as in many industries, made the situation even more difficult in a number of ways. The first and most obvious is that COVID-19 has actually impacted the IT budgets. With revenue streams for the upcoming year more volatile than in years before, many executives have been forced to cut their IT budgets and look at any additional spending with greater scrutiny. Many security teams have been forced to mix and match existing personnel to fill holes. An April 2020 (ISC)² survey of 256 cybersecurity professionals found nearly half were recently re-tasked to other IT roles such as securing remote work environments. When we couple the potential for shrinking teams, and sudden changes of roles, with a 63 percent increase in cyberattacks related to the pandemic, it becomes clear why the Information Systems Security Association called COVID-19 a “once-in-a-lifetime opportunity for hackers and online scammers.”
A second way COVID-19 is impacting the worker shortage is by forcing everyone home. Lockdowns have changed the way we’ve worked over the past year, driving many people to work at home full time. While we can and will adjust to this, it has had an impact on the speed of certain tasks, and the training of new hires has suffered as a result. Skilled practitioners who could share their expertise have not been able to engage in practical training with new recruits as easily as they would in person, and so training and onboarding of new security professionals has slowed down.
A third way COVID-19 is impacting the workforce is in that it’s practically impossible to hire skilled people who don’t already reside in the country, state or city where they’re needed . Even though people can work from home, it’s still normally necessary for new employees to live in certain geographies.
What can we do?
No single action can bridge the cybersecurity skills gap. With millions too few practitioners in the field of cybersecurity, the industry obviously has some institutional issues that must be dealt with. The first thing we must re-examine is how we identify and recruit our talent, and explore the true value of traditional degrees in the cybersecurity community. As an industry, we should focus on identifying the right candidate with the right motivation, regardless of how full their resumes are, and commit to training them and growing them professionally. Opening up the field to more candidates and embracing those who have an aptitude for security, even if they lack the formal training could be a huge boon for an industry where current standards are yielding too few candidates for too many jobs.
Given the sheer number of recent seismic changes to the modern enterprise (e.g., accelerated digital transformation, new data retention requirements, emphasis on security beyond compliance, etc.) adding more staff may not be enough to close the gap fully. In these cases, automation could represent the shortest distance between you and securing your entire data estate. An end-to-end data security platform that can ingest, consolidate, and store data from all sources eliminates the need for enterprises to acquire employees with specialized skills to secure each one. With a unified platform approach, automation will cut out manual work that requires dozens of security professionals’ attention and enable one team to oversee the security for far more assets than they could manage otherwise. This option would create nominal additional overhead, but automating these time-intensive tasks would not only ensure greater accuracy than manual work, it would do it in a fraction of the time and therefore free up security professionals to perhaps take on other roles and assist in other areas.
Around the world, and across industries, COVID-19 is challenging us and exposing flaws that we’ve avoided dealing with for some time now. Now, in the midst of a pandemic, isn’t the ideal time to implement wholesale changes in how we manage cybersecurity. We can and should, however, take this time to reflect on the underlying causes of this crisis and create new strategies to deal with it so that, once we’re past this and our budgets bounce back, we have a system in place that will enable us to overcome these gaps.