As we consistently see in the headlines, cybercriminals and nation-states continue to have success compromising environments, fueled by a rapidly expanding attack surface and poor system hygiene. These threat actors are financially or politically motivated and have the expertise and operations to successfully conduct cyber attacks on governments and organizations across the globe.

To defend against these specific threats and others, organizations need the right people, processes, and technology. The challenge is that most don’t have enough skilled cybersecurity personnel to make this a fair fight. Despite increased investment in cybersecurity, commercial and government organizations continue to face a massive skills shortage due to heavier workloads, unfilled positions, and worker burnout.¹ In fact, there are more than 2.72 million open cybersecurity positions, with the global workforce needing to grow 65% to effectively defend organizations’ critical assets.² So what are organizations supposed to do? How can we staff up to eliminate–or at least minimize–the amount of cyber whack-a-mole that ends up happening, leaving us always responding and seemingly never catching up?

Here are some recommendations for organizations to address the cyber skills gap:

Automate Routine Tasks – Don’t have enough people to tackle all of the tasks? Look for areas to automate. While automation certainly does not solve everything, automating certain parts of your cybersecurity operations can reduce the manual effort required by trained resources, allowing those resources to focus on more important tasks. Good examples of opportunities to automate include security operations, alert triage, IAM, continuous pentesting, and more.

Focus on Learning and Growth Opportunities to Enhance Employees’ Expertise – There are certainly plenty of training and certification programs out there to help your team grow. Encourage and fund your employees to take advantage of these. As we know, it is often hard to carve out the time to allocate for training, but it must be a priority. Also, ensuring your staff has exposure to peers across the industry through conferences, webinars, and lunch-n-learns is a great way for them to see how others are addressing cybersecurity challenges in their organizations. Establishing mentorship programs and defined growth paths within your organization is also a great way to provide opportunities for employees to go deeper into cybersecurity specialties–and it’s a “win” for them and you.

Look for people with relevant skill sets… not JUST cyber -With a shortage of cybersecurity skills, as an industry we need to think outside the box when it comes to adding resources to our security teams. Many outside of the traditional infosec team have the fundamental core skills that translate well into an infosec resource. Cybersecurity skills such as risk management, data analytics, troubleshooting, development, audit, etc. These skills can provide a good foundation to build infosec skills on top of, making growth into a valuable infosec resource a real possibility. Here are some specific roles and skills to consider for increasing your organization’s cyber capability:

• IT Administration – These individuals already have some baseline understanding of network architectures and authentication processes that could be the foundation for growing their cloud security or identity management skills.
• Software Engineering or Computer Science – Personnel with a software engineering background have an understanding of underlying code that could be used to shift into Application Security and help identify vulnerabilities. Those who enjoy creating solutions and know-how to write in Python could use that foundation to shift into cybersecurity areas such as Security Orchestration, Automation, and Response (SOAR).
• Technical Leadership – Individuals with technical leadership experience could put those skills towards strategy and program management, where you can work with various departments throughout the organization while using a variety of collaboration tools and techniques to drive operations.
• Business or Military Intelligence – Employees with an intel background could shift to Security Analytics which uses analytics to prevent and detect threats, or to becoming a threat intelligence analyst.

Augment Your Teams with Skilled Professionals – Whether through assessment activities, staff augmentation, or managed services, even the most mature and skilled organizations can leverage outside resources. Using consulting organizations with proven expertise in different facets of cyber can help execute your programs, improve your strategy and roadmap, or simply to just add bandwidth to existing projects and initiatives.

There is greater demand for skilled cybersecurity professionals than what is available. Automation, staff augmentation, looking for related skills outside of core cyber, and a focus on training and incentivizing employees are all ways to help address this gap. It’s time to get creative because the need for cyber skills will only become greater.

1 – The Life and Times of Cybersecurity Professionals 2021, ISSA and ESG

2 – 2021 (ISC)² Cybersecurity Workforce Study