The shortage of IT security professionals is negatively affecting organizations as they struggle to keep assets safe in an era of growing IT threats and complexity.
These were the results of global survey of 1000 cybersecurity professionals conducted by Vanson Bourne and Trellix, which found that 85% of respondents said they believe labor shortages are affecting their abilities to secure increasingly complex networks and information systems.
Additionally, a large majority of respondents (91%) believe broader efforts are needed to grow the pool of cybersecurity talent from diverse groups.
More than nine in 10 respondents (92%) said they believe more mentorship, internships and apprenticeships would support the participation of workers from diverse backgrounds in cybersecurity roles.
Kent Landfield, head of technology standards and policy at TrellixOne, added that one of the biggest challenges for IT security teams these days is employee burnout.
“Companies need to develop and make sure they understand that there is a career path for cybersecurity,” he explained. “People want to grow and want to feel like they have a productive and useful future in the organization.”
He added that the survey again raises the specter that the cybersecurity talent gap cannot be addressed without expanding the ranks of the workforce beyond the traditional talent pool with the traditional resume and career path.
“We won’t be able to expand the workforce unless we can tap into the talent within groups currently underrepresented in cybersecurity and take some non-traditional approaches to recruiting, training and developing talent,” he said. “It should also be understood that not everyone needs to have a four-year degree to be successful in the cybersecurity field.”
From Landfield’s perspective, organizations should look for creative ways to find those interested in cyber-related opportunities.
“The cybersecurity talent gap is an imperative not only for the cybersecurity field, but also for industry and national security postures that increasingly rely on cybersecurity as a security domain,” he said.
The cybersecurity skills shortage
Ravi Pattabhi, vice president of cloud security at ColorTokens, a provider of autonomous zero-trust cybersecurity solutions, noted that a significant shortage of qualified cybersecurity experts is a widespread problem, not just in the United States, but around the world. .
“Some universities in the United States have started teaching students some of the basic cybersecurity skills, such as managing vulnerabilities and hardening systems security,” he said. “Meanwhile, cybersecurity is undergoing a major change.”
He explained that the industry is increasingly incorporating cybersecurity at the design stage and building it into product development, code integration, and deployment through DevSecOps.
“This means that software developers probably also need basic cybersecurity skills, including the MITER attack framework and the use of penetration testing tools,” he said.
He added that companies are primarily looking for graduates who have some experience using basic security tools, such as pentesting and scanning tools.
Additionally, the rapid global adoption of the cloud means that it is especially important for recent graduates to have some level of familiarity with the cloud and the security of cloud infrastructure.
“Therefore, there is a high demand for graduates with cloud experience in AWS, Azure and GCP, in particular developers,” he said. “Lastly, knowledge of some fast-growing programming languages like Go and Rust are also a big plus.”
The survey found support for skills development (85%) and seeking certifications (80%) were selected as very or extremely important factors for the industry to expand the workforce.
Mohit Tiwari, co-founder and CEO of Symmetry Systems, said the pandemic has accelerated organizations. digital transformation initiatives, so the ability to configure cloud workloads and help organizations overcome security and compliance challenges remains a highly in-demand skill set.
“Part of the reason is that workload organizations that resisted moving to the cloud were highly regulated, and the forced move of on-site data centers managed by IT staff is increasing the demand for IT skills. cloud-based security and compliance,” he said. he said she.
From their perspective, cloud-based security techniques will continue to be critical.
These include learning to work with cloud-native identity and access management (IAM), large-scale log analytics and alerting techniques, NIST and similar compliance frameworks, and more generally, learning to manage infrastructure through of structured programs instead of assembled shell scripts.
“As networks and application layers become ephemeral, the most important persistent asset for any business will likely be its own and its customers’ information,” he said. “Therefore, cloud data security will be an important topic in the future.”
He noted that cybersecurity education has traditionally focused on teaching encryption basics, memory bugs and web application vulnerabilities, and various network layer security concerns (TLS, DNS, MAC).
“This is a great start, however, creating new encryption libraries or exploiting web applications is a very small fraction of the security-related work in the industry,” he said.
Tiwari predicted that soon, workloads will most likely be deployed in the cloud, managed as code using CI/CD and runtime systems like Terraform and Kubernetes.
This means that security engineers will look a lot like classic computer scientists/engineers and will have a unique opportunity to incorporate security functions into a utility network.
“For example, to create domain-specific languages to create compact policies, compilers to translate them into cloud IAM backends, and run-time analytics and response to build resiliency in a utility network,” he said.