Till few years back, “information security” was a new domain among IT and few others folks. Most of the persons on the street were neither aware nor bothered about information or data security, including most of the business folks. Main concern was to protect sensitive information of the company from unauthorized activities. Within less than a decade, “cybersecurity” has become a common phrase – protecting all the inter-connected devices, hardware, software, resources and data and making sure all these continue operating unhindered. With the rapid growth of digital economy, today phrases like, cybersecurity, cyber threats, cyberattacks are common knowledge among the entire spectrum of the society. It has become a common topic of discussion from board rooms to living rooms.
Technology Consultant & Adviser, Ex-CIO
SBI Funds Management
The rise of the Digital Firefighters
As per an estimate of 2021, the digital economy was worth $11.5 trillion globally, equivalent to 15.5% of global GDP Furthermore, its growth had been 2.5x faster than global GDP over the past 15 years. Our livelihoods today are more digital than ever before and our dependency on digital world at all levels is bound to increase. All of our critical infrastructure, including public services, banking & financial services, energy, health care, education, transportation, are digital / online now with varying degree in different geographies. Like death and taxes, unfortunately cyber-crime has become a permanent fixture in our digital world. Cybersecurity profession is likely to become a new age “helping” profession or essential service, like, doctors, nurses, police and fire fighters, in not too far future. We may call it “Digital Firefighters”.
Cyber-attacks can have catastrophic effects on government, businesses and citizens. There are a large pool of attackers across the globe, individuals, groups or state actors, who are out there to attack any digital infrastructure or resources with different malicious intentions. So, what should we do now and in the future to protect critical digital assets? One option is to put People before Technology. We can protect critical digital assets by creating sustainable pipeline of cybersecurity experts, both in terms of numbers and skills, as technology and processes alone will not be sufficient.
As per 2021 report of (ISC)² on Cybersecurity Workforce Study, there are 4.19 million cybersecurity professionals world-wide, but there is still a gap of 2.72 million. While there had been steady narrowing of the gap in the last few years, still it needs to grow at 65%, along with appropriate skill development, to effectively defend critical assets. While there are many dimensions of cyber-security talent & skill gaps to be addressed as we will analyse here, we need to keep in mind that no single organisation, institution or government can close the skill gaps alone.
Decoding Cybersecurity Workforce Trends
To effectively address the workforce and skill gaps of cybersecurity professionals for the future, we must understand the current trends. Some of the key facts and trends on cybersecurity workforce as per (ISC)² 2021 study are as follows:
- Pathways to cybersecurity profession is changing. While around 53% of Gen X and 55% of Baby Boomers started in the field of IT and then moved to cybersecurity, 38% of Millennials started their career in IT. Even though IT background remains the single most common route, other pathways for new entrants are emerging, such as, transition from other unrelated fields, through cybersecurity education and by exploring cybersecurity on their own.
- Wide ranging impact of talent shortage. In spite of addition of 70,000 professionals in cybersecurity workforce in a year, there is huge gap in skilled resources globally. Some of the real life consequences of staff shortages are misconfigured systems (32%), improper or no risk assessment (30%), slow to patch critical systems (29%), rushed deployments (27%).
- People-first approaches, complemented by process & technologies, are key to address the gap. Development & retention of exiting staff can have biggest impact on cybersecurity workforce gap as per 42% of the participants. Organisations have already started investing in people development – such as, training & certifications, flexible working conditions, diversity, mentorship programs, hire for attitude & aptitude and train for technical skills. In spite of being stressed, unappreciated and working under tremendous pressure, majority of cybersecurity professionals, especially younger professionals, are highly engaged and satisfied workforce. Challenges and dynamism of the work make many professionals happy.
- The National Initiative for Cybersecurity Education (NICE) framework is helpful to have a standard view of today’s cybersecurity field. The NICE framework’s seven major category of functions (security provision, oversee & govern, operate & maintain, analyse, protect & defend, collect & operate, investigate) and several specialisations & roles associated with these functions help us to see if the current workforce is aligned with the requirements of the industry or not. At present, the largest percentage of workforce fall under Oversee & Govern function (28%), followed by Security Provision (18%) and Protect & Defend (16%).
- Cybersecurity workforce participation is skewed towards to the IT sector. A majority of more qualified and talented cybersecurity workforce are working in IT product & services companies. Critical sectors from cyber security vulnerabilities view point, such as, banking & financial services, government, healthcare, telecommunications, are lagging behind to attract & retain skilled workforce.
- Cybersecurity professionals require a blend of technical and complementary skills. Top five areas of skill development are Cloud Security (40%), Risk Assessment & Analysis (26%), AI/ML (25%), GRC (24%) and Threat Intelligence analysis (22%). While demand for certifications are equally divided between vendor-neutral certifications (like, CISSP, ISO 27001) and vendor-specific certificates, such as issued by Microsoft, AWS, Cisco, top two certifications being pursued presently are CCSP and ISO 27001 Lead Implementer.
- Two most important qualifications for cybersecurity jobs are certifications (32%) and relevant experiences (31%). But, this trend is changing as few non-technical skills & attributes, such as, strong problem-solving abilities, curiosity & eagerness to learn and strong communication skills, are considered equally important.
|Click to enlarge|
|Click to enlarge|
Understanding the Cybersecurity Talent Gap
While many companies are not very clear about the specific roles and functions of cybersecurity professionals needed in their respective organisations, surveys have indicated clear talent gaps as well as skewed team composition of InfoSec in many companies. More experts are required in the functions of Security Provisioning, Protect & Detect and Analysis as these functions are listed as top three on staff shortages. HR with the help of CISO / InfoSec should focus to create roles and job descriptions suited to cater to the specific organisation’s needs instead of making general job descriptions, overloaded with too many and unrealistic responsibilities.
Reinventing Hiring Practices
With ever increasing dependency on digital platforms, cybersecurity must be ingrained in processes, operations and strategies. It is no longer an option. Gradual shift of cybersecurity from purely IT-centric mindset to a broader perspective is definitely a positive sign. It is reflected in the survey as non-technical skills and diversified backgrounds are becoming equally important for new entrants into cybersecurity domain. This approach will definitely create a more diverse pool of talent and will help in the long-run to bridge the talent gap.
Adopting a People-fist Approach
People-first approaches are key to address the workforce and talent gaps. Most of the participants of (ISC)² 2021 study give more priority to people investments over technology to strengthen security posture of the organisation as well as to address workforce gaps. It is quite evident that technology cannot be a substitute for the human element. Organisations need to invest more on people-centered practices (such as, diversity, mentorship programs, well-defined career path, addressing pay & promotion gaps, etc.) to address cybersecurity workforce gap.
Cybersecurity is no longer an IT-centric field; it has become a multi-disciplinary field, which includes technology, finance, risk, legal, compliance, project management, communications and training. Tapping into new sources of talent and welcoming non-traditional pathways to cybersecurity careers can lead to a more diverse talent pool, which can be further nurtured through on-the-job training, professional development, micro-certifications and many more new approaches.
Cybersecurity workforce and skills shortages are real. We need to address this issue on urgent basis before the wildfires of cyber-attacks, data breaches and malicious activities destroy the foundation of digital world.