Whether or not the cybersecurity industry is currently facing a skills shortage is a matter of intense debate. On the one hand, the (ISC)2 publishes an annual report on the state of the cybersecurity industry, and their current estimate is that more than 4 million cybersecurity positions are currently unfilled globally. On the other, many claims that the issues that companies face with filling cybersecurity roles come down to a lack of processes for directing and re-skilling qualified individuals to fill key roles.
This post explores the myths and facts surrounding the cybersecurity talent shortage and what you can do about it.
Whether or not the cybersecurity industry talent shortage exists and what it looks like is a matter of debate. However, the fact remains that 62% of cybersecurity teams are currently understaffed. Organizations are struggling to fill key cybersecurity roles for a number of different reasons.
One of the biggest contributors to the cybersecurity talent shortage is the fact that candidates are often unqualified for the positions they are applying for. More than two-thirds of companies (70%) believe that less than half of their applicants are well-qualified for the position that they are seeking.
This means that, even if qualified candidates exist, companies are struggling to find them and wasting resources weeding out applicants that cannot fulfill the duties of the role.
The problem of misaligned expectations is not wholly on the applicants’ side. Many organizations are reliant upon hiring practices that require years of experience within a certain role or with a certain technology.
While experience may be necessary for certain roles across an enterprise, these requirements are sometimes not aligned with reality in the cybersecurity world, which advances faster than other disciplines. A lack of technical understanding of technology can lead to unrealistic expectations.
Numerous examples exist of job descriptions requiring more years of experience with a particular technology than that technology has existed. Others require a “unicorn”, an individual with the skill set of an entire IT or security team.
Additionally, hiring practices focused on years of experience do not take into account the skills that an applicant may have gained through non-professional pursuits - such as capture the flag (CTF) competitions or personal projects - or that an employee may have several years in a particular role but has not gained additional skills or knowledge while doing so.
In some cases, the cybersecurity talent shortage is actually the gap between recruiter expectations and reality.
Even if the cybersecurity industry has enough professionals to fill every open role, this does not mean that a skills gap does not exist. An entry-level cybersecurity professional cannot be expected to act as a CISO or fill the role of a seasoned malware analyst or penetration tester.
If cybersecurity professionals are searching for a role but cannot meet the needs of a given position, then a skills gap exists even if the supply and demand for workers are equal.
For example, almost all companies have adopted cloud computing and require the ability to secure their cloud infrastructure. However, 67% of cybersecurity professionals struggle with understanding the cloud shared responsibility model, a fundamental concept of cloud security. If cybersecurity professionals lack the skills that organizations require, then key cybersecurity positions will remain unfilled.
Related Reading: 3 Reasons Why You Need a Human-Run Penetration Test
If the (ISC)2 is correct, the cybersecurity industry has a skills gap that will not be filled any time soon. As a result, filling critical roles within companies’ cybersecurity teams will be difficult and expensive as organizations compete to attract and retain qualified candidates for critical roles, with potentially significant results by way of successful cyberattacks that could have been avoided.
While the supply of qualified cybersecurity professionals is exceeded by the demand for them, organizations must take a different approach to secure their networks.
Both small and large companies can benefit from leveraging the expertise of a partner to augment cybersecurity skills. Small companies can get enterprise-level services for a fraction of the cost of supporting full-time employees; large companies can relieve their IT departments of time-consuming tasks and still save money.
This allows for both to focus on their core competencies – the outsource provider brings platform and process expertise to the table to help guide program maturity while handling tactical projects. This frees up the customer organization to focus on operating their business and handling strategic technology initiatives.
Related Service: Cybersecurity Staff Augmentation
For instance, an MSSP enables an organization to achieve an equal or greater level of security at a fraction of the cost. The average SOC analyst salary is $88,231, and a company requires at least six SOC members to have 24/7 coverage with at least two members on staff at each time (which provides minimal protection). This price tag of over $44,000 per month - which doesn’t include security hardware, licensing fees, or the specialized cybersecurity expertise needed for incident response - is far higher than the monthly fee of an MSSP providing a much wider range of services.
Partnering with a Managed Security Services Provider (MSSP) and the advisory firm can provide the access to specialized skill sets that a company requires to protect itself against cyber threats. Contact us to start the conversation.
We've developed an e-book comparing the two options including the advantages and disadvantages of both, staffing costs, as well as costs associated with building a security operations center (SOC) versus outsourcing. Download the e-book!