As the number of cyberattacks continues to increase year-on-year globally, organizations are hard-pressed to both retain existing security professionals and hire new talent.
This deficit of professional resources continues to pose challenges for organizations looking to bolster their human defenses against cyberattacks. An estimated 3.5 million unfilled cybersecurity jobs are still expected to flood the market by 2025. Suffice to say, good cybersecurity talent will still be hard to come by, at least for the short term.
Although this shortage in cybersecurity talent is a crucial pain point shared by the majority of organizations, creative and forward-thinking firms are learning to effectively mitigate cyber risk with the limited staff on hand. By proactively planning ahead, equipping their current team members with the skills for success, and leveraging the right tools, these organizations are positioning themselves to secure and retain top security talent in the face of expanding cyber threats and diminishing human resources.
The drivers behind the current cybersecurity talent shortage are multi-faceted and varied. However, most causes originate from the relatively recent wave of digital transformation sweeping up industries across the board, followed by an increase in cyber risk and the resulting sharp rise in cyberattacks.
Naturally, this has resulted in a dearth of qualified security professionals. Firms are also struggling to upskill their current staff to meet rising security challenges and vacancies resulting from the diversification and specialization of security roles.
Despite the security talent shortage, organizations can nonetheless maintain an effective combination of competent tools and people for combating new and existing cyber threats. Hiring the top security talent may be the preferred method for bolstering the organization’s human security defenses, but it’s not the only way to ensure a resilient cybersecurity posture.
For example, similar investments in acquiring new talent can instead be spent on training existing staff, implementing new products or services for reducing the security workload, and relying on innovations in artificial intelligence/machine learning (AI/ML) to spot anomalies and suspicious patterns in data logs and traffic.
The following are some tips for future-proofing your organization’s security talent pipeline.
Although experienced security professionals are in high demand, new graduates, mid-career professionals transitioning to cybersecurity, and interns or trainees with no security experience can provide—if given the appropriate opportunity and resources for skills attainment—equal, if not superior, value to the organization over the long run. This could apply to both external and internal hires.
In many cases, an organization’s specific security needs might be addressed by the staff they already have. For example, an unmotivated, mediocre security operations center (SOC) engineer with a knack for development may subsequently excel in a role as a DevSecOps engineer.
Another effective approach to addressing the cybersecurity talent shortage is to minimize the number of human resources required to monitor and triage security incidents—for example, reduce the headcount required for SOC operations.
According to a study by McKinsey, 60% of SOC teams can only analyze and triage less than 40% of their log data. But with the proper tools to improve signal-to-noise ratio, reduce alert overload, enable higher-level insights, and make better correlations, organizations can maximize the potential of their existing security staff, empowering them to do more with the knowledge and skill set they already have.
For example, a competent tool using AI/ML to provide deeper insights and more accurate correlations could enable a Tier 1 analyst to do a Tier 3 analyst’s job.
Employees may be the weakest link in the enterprise security chain, but with some investment in training and awareness, they can become the organization’s strongest defenses. For instance, regular employee cyber hygiene training can keep the number of security incidents down to a manageable number for the existing security staff.
Direct hiring is not the only way to expand an organization’s security staff. Firms are increasingly relying on managed security and SOCaaS providers to round out their cyber threat detection and mitigation capabilities.
Cyberattacks and security failures will likely continue to dominate the headlines for the foreseeable future. In an age where everything is dependent—and exposed—on the internet, professionals highly trained in security are coveted by organizations large and small across all industries. By being creative with the resources, tools, and employees they currently have on hand, firms can effectively enable their security staff to do more with less.