There’s a huge gap in the availability of skilled cyber professionals across the entire industry. According to the Information Security Consortium (ISC2), the cybersecurity workforce gap in 2022 was about 3.4 million people. In 2021, it was about 2.7 million.
Not only is there a gap in available people , there’s a gap in skill. Cybersecurity folks are often expected to be knowledgeable in a wide array of areas, whether it be email, end computing devices, servers, networks, firewalls, or more. Finding someone skilled in all of those areas is a challenge, and hiring them can be expensive.
With an industry-wide concern such as this, it’s important to know both the business impact of understaffed cybersecurity, and how to solve it.
Being Understaffed in Cybersecurity Affects Your Business
One of the natural results of understaffing is that the staff you do have must work harder, leaving them prone to burnout. When you’re asking people to do too much, it starts to wear on them and eventually they’re going to look for a new job.
Understaffed organizations often turn to their IT people to do security work, but IT and cybersecurity are two very different jobs. If you’ve got people without the right skill set and you’re having them do jobs that they’re not trained or qualified to do, they’re much more likely to make critical mistakes that could result in a security event or breach.
I rarely see developers who know how to write good quality, secure code. Writing secure code is not something that’s generally taught in schools, and it’s not something you can easily pick up. It requires some specialized knowledge, tooling, and skills to do well. Inevitably, it’s when, not if there’s going to be a problem in your applications and products.
If you don’t have someone on your staff specifically trained and skilled in how to secure software and how to write good software, you very likely are going to have gaps.
How Can Organizations Address Their Cyber Staffing Challenges?
The first thing your organization needs to think about is awareness of the skills shortage. Try to avoid putting security professionals in a position where they’re being asked to do too much and burning out.
There are three solutions that you can consider here: increasing your staff’s size, increasing your staff’s competency, and decreasing the load on your staff.
Increase Your Staff’s Size
Look for creative ways to fill your security shifts. For instance, if you put a security person on call 24/7 plus a daily 8-hour shift, they’re never going to leave the house / office. That’s the fastest way you can get your most valuable employees to quit. Instead, train some junior staffing at a lower cost to handle basic tasks and give the top players a little time off the clock.
Fill the gap with staffing organizations, temps, or part-timers. You may not necessarily want to put those individuals in critical roles, but there are certainly jobs that they can fill so that you can focus your dollars and your staffing on the most vital roles.
Having two or three senior security personnel responsible for a staff of juniors, contractors, and consultants is a better model than having one or two security people trying to fill all of those roles alone.
You can also contract vendors to outsource some of your security work. A security operations center (SOC) is a good option that can be outsourced easily. This is where all of the logs, alerting, and incident detection begin. And it’s prime for outsourcing because one organization could potentially monitor dozens of organizations’ logs and events, all in a single console.
Increase Your Staff’s Competency
If you heavily invest in properly training your people, then sometimes you can internally grow the staff to meet your security needs.
There are specialized courses from organizations like ISC2, SANS and many others that have world-renowned training courses ranging from web-based training to in-person training classes and everything in between.
Security is one of those fields that is constantly changing. If you don’t provide your security professionals the opportunity to retrain, retool, and reskill, their skills will rapidly become outdated. That will cause the problem to multiply.
Decrease the Load on Your Staff
Investing in your IT security tools and technology can help you manage your staffing level. A well-run shop isn’t going to need nearly as many people to keep the lights on.
If the staff that you have are busy fighting with ineffective technology, then you’re just making your staffing problem that much worse because you’re not maximizing the benefits of their time. Bringing in consultants to review, recommend, and optimize your technology can address this issue.
You may not be able to hire engineers to operate each of your security tools individually, but through automation and integration, you can potentially hire a small team of engineers to manage a large portfolio of tools .
In the long run, automating your security systems will be more cost effective for you. You might spend a little more money upfront doing some of the automation, but once you’ve got it built, then you can easily continue to add more and more tools into that framework.
Is Automation Underutilized?
One of the most common things I see is organizations that have individual teams for each of their security tools. That’s probably overkill in most cases, even in large organizations. A good team with well-designed integration and automation ought to be able to manage an entire portfolio of tools.
The engineers ought to be cross-trained and be competent and capable with each of the tools in the portfolio. That gives you a lot of flexibility for things like on-call time and coverage. When there are incidents, the team can easily divide and conquer if everybody is cross-trained in the whole portfolio.
Organizational silos often cause either one tool or a very small number of tools to be managed by a larger pool of engineers. And when more tools come in, it creates a perceived staffing shortage.
A lot of security tools are designed to be somewhat lights out. They’re designed to alert or notify you when there’s something that needs to be done. You don’t necessarily need to be staring at them constantly.
And that’s even more true if you integrate them into something like a security incident and event manager (SIEM). You can have your entire portfolio feeding into one SIEM and then have a single pane of glass. If and when there’s a condition that requires investigation , that can pop up in the SIEM and get assigned accordingly.
That doesn’t mean you should never look at consoles for individual tools. You need to develop a standard operating procedure. What are the daily, weekly, quarterly tasks that need to be done for each of the tools? If you have discipline, you can be pretty efficient at managing your tools.
Early Investments in Cyber Pay Off
Since we have a skills shortage, large business customers especially should partner with local colleges and universities. We need to do more on the scaling front by getting more young people interested in cybersecurity.
It’s actually a very interesting and dynamic career. And there’s a lot of opportunities that certainly pay well. There are many reasons for young people to get into the field.
But interestingly enough, it’s not growing at the rate one would expect. Part of that is the fear of the burnout factor because students are aware of how hard some of these cybersecurity roles can be.
Black Kilt Helps Understaffed Organizations Meet Their Security Needs
Black Kilt can help you address staffing concerns in a number of ways. With our consulting model, we have the ability to provide temporary staff or part-time staff to fill the gap. Generally speaking, we can provide those staff on short notice.
Even more importantly, we can use our extensive expertise to optimize your portfolio. This includes making sure you have the right tools and that they’re running in an optimal manner. We can build the automations that you might be missing.
When we come in and reimplement, re-architect or integrate tools for you, we’ll document and train your staff. If you don’t have staff, we’ll help you identify the best mechanism for finding, hiring or acquiring staff who can be responsible for that tooling in the long term. Some of it is heavy lifting, but we’re happy to do it.
