Security teams need to continually bolster their cybersecurity controls and expertise to keep up with the evolving threat landscape. In terms of human resources, however, there's not enough talent to go around—and that’s not expected to change any time soon.
The industry is certainly trying to attract new talent, even planting the seeds about security careers with students as young as elementary grades. Colleges are adding more programs and offering cybersecurity-related degrees. And companies are being more proactive in their attempts to attract professionals from other fields.
Unfortunately, the need is too great for even these efforts to close the cybersecurity skills gap in the near future. Meanwhile, your organization must find a way to improve its security posture despite this talent gap. To do so requires being more purposeful—and more creative—about your approach to your security operations.
Lack of Cybersecurity Talent in A Perilous Threat Landscape
The number of cyberattacks rises steadily year after year. Data from the Identity Theft Resource Center (ITRC) shows there were more than 13,000 confirmed data breaches between 2005 and 2020—nearly half of those (more than 6,200) took place in just the last four years.
At the same time, organizations continue to embrace digital transformation and collect enormous amounts of data, which increases the risk that sensitive records become exposed. Massive data leaks of personally identifiable information (PII), such as the 267 million Facebook user records that were found on an unsecure page, are no longer a novelty.
Meanwhile, zero-day threats are on the rise, Internet of Things (IoT) malware is creating botnets from unsecured digital devices, and ransomware has become a billion-dollar industry.
Cybercriminals have also become more audacious. Third-party data breaches, like the recent SolarWinds hack, can impact literally hundreds of government agencies and high-profile businesses all at once.
These trends are not unique to a handful of industries, as cyberattacks constantly hit new sectors. In 2020, pretty much every industry—from agriculture and real estate to construction and healthcare—experienced data breaches.
Hackers' willingness to go the extra mile for illicit gain is not surprising, and they'll continue to succeed if companies continue to rely on understaffed and under-skilled IT teams.
The Widening Talent Gap in Cybersecurity
The success of threat actors, in part, stems from a morphing network topology that requires new, more dynamic tools for defense. But the bigger problem is the well-documented shortage of cybersecurity experts.
In the United States, for example, the supply-to-demand ratio for the cybersecurity workforce was just 1.8 in 2020, compared to 3.34 across all sectors, according to CyberSeek.
ISACA's State of Cybersecurity 2020 report showed that 62 percent of more than 2,000 surveyed cybersecurity professionals felt their organization was understaffed, and 57 percent had unfilled cybersecurity-related positions.
A 2019 survey by the Center for Strategic & International Studies reported that 82 percent of decision makers experienced a shortage of cybersecurity skills. Seven out 10 decision makers believed this shortage caused “direct and measurable damage to their organizations."
The problem is evident: The cybersecurity talent gap is severely hindering the ability of organizations to protect their most important digital assets.
So, how can your security operations team address this problem?
Four Ways to Address Today's Talent Gap
1. Be more selective of IT hires
It's difficult these days to rely completely on generalists. The industry is moving and evolving so fast that you need to find talent with specific skills, such as cloud security. Indeed, in the State of Cybersecurity 2020 report from CompTIA , 85 percent of surveyed organizations said they now take a more specialized approach to their security teams.
Technical skills are just one part of the equation. In addition to having experience in IT specialties, your candidates should bring a variety of soft skills to the table. Since they're going to be your security champions, they need to be able to collaborate and communicate with a variety of stakeholders.
This all adds up to the fact that hiring cybersecurity talent doesn't come cheap. For security analysts, for example, the average annual salary often goes into six figures (ZipRecruiter puts the U.S. average at $91,700 as of January 2021, but to attract top talent, you will likely need to aim higher). In fact, U.S. News and World Report found that the best-paid analysts made an average of $128,640 in 2019.
Of course, expect to pay a lot more for the higher-level specialists you need on your security team. Application security engineers, for example, average close to $130,000 in annual salary—and some make upwards of $180,000.
2. Nurture Your Talent
Recruitment is just the first hurdle—retention is just as big a struggle. It's not uncommon for security pros to leave their employers after just a few months.
The ISACA survey found that 59 percent of those who left did so because they were recruited by other companies. However, half also said they left because of poor financial incentives, and an equal number moved to greener pastures because of limited promotion and development opportunities.
Added together, this means you need to constantly nurture your cybersecurity talent and offer new incentives and opportunities for advancement.
3. Build a Strong Security Culture
The role of a chief information security officer (CISO) is increasingly important and not just because they provide strategy and support and make sure that IT isn't burdened with unrealistic expectations. The CISO also brings a security point of view to executives so that cybersecurity isn't an afterthought but baked into every big company decision. This security perspective then trickles down throughout the organization until it pervades all business operations.
4. Leverage Third-Party Expertise
Whether they wish to supplement their security teams or completely outsource security, more organizations are turning to third-party cybersecurity expertise. Cisco's 2020 CISO Benchmark Study found significant growth in outsourcing over the past year, likely driven by the increased complexity of providing robust cybersecurity. The report found the top reason for outsourcing was cost efficiencies, while the desire for timelier incident response was a very close second.
One of the biggest challenges that IT and security teams face is the proliferation of tools, which are not only getting more unwieldy to manage but also continue to contribute to alert fatigue.
In addition, building an in-house team of professionals and then arming them with the tools they need to accomplish all cybersecurity objectives often costs millions of dollars annually, assuming it's even possible to lock down the requisite talent.
Leveraging outside expertise helps you improve the effectiveness of your security operations regardless of the rung where your organization resides on the security maturity ladder. Partnering with an experienced security vendor is like having an extension of your team at your disposal 24x7. Outside experts not only help address the cybersecurity talent gap, but also help you improve your security posture over time.
How Arctic Wolf Can Help
Arctic Wolf® security operations solutions managed by our Concierge Security® Team can help solve your security effectiveness challenges and mitigate your security talent shortage. Our experts monitor your environment 24x7 in real time, and a dedicated team works directly with your IT staff. And we don't just focus on tactics—we can take on strategic tasks as well.
See how our Concierge Security Team (CST) helps fill your security talent gap to keep your organization protected.