Cybersecurity is now reported to be the most sought-after technology skill in the UK. There’s insufficient new blood coming into the industry, with an annual shortfall of 14,000, according to a DCMS (Department for Culture, Media and Sport) report, and a brain drain at the top, as experienced professionals either retire or seek pastures new. So how did we get to this point? Has technology become part of the problem rather than the solution and is there a way for it to help solve the skills shortage?
The annual exodus usually sees around 4-7,000 exit the profession but the reality is that we’re now seeing many more become disillusioned and join the ‘Great Resignation’ post-pandemic. A key cause of this is the technology they use to do their jobs. Cybersecurity professionals now need to monitor security stacks comprised of multiple proprietary point solutions. In order to do so, they’ll have had to learn how those work, so now have non-transferable skills, and the solutions themselves often generate high false positive rates, leading to alert fatigue. Altogether this is resulting in burnout rates, with research from VMWare revealing that over half feel extremely stressed leading to 65% of them considering quitting.
Old and new expertise
From a technology perspective, the exodus means a loss of experience and less of those around who know how these systems work. This is particularly true for legacy systems, for example, mainframes are still used for mission critical processes in sectors such as banking, telecoms and retail, with IBM revealing 67 out of out of the Fortune 100 rely on them. The likelihood is that these systems will continue in operation for at least another decade while these businesses digitally transform yet those with the skills to maintain them are diminishing.
At the other end of the spectrum, we find there are not enough people skilled in emerging disciplines, such as cloud, AIOps (artificial intelligence for IT operations) which covers data analytics, machine learning and artificial intelligence, and DevSecOps (development and security operations). According to a recent ISACA survey of technology professionals,48 percent think there is insufficient investment in training to navigate the changing technology landscape, while an ISSA survey found nearly a quarter were not receiving the 40 hours plus training per year needed to maintain and advance their skillsets.
The repercussions for the enterprise are only just beginning to be felt. It’s becoming increasingly difficult to manage existing infrastructures but it will also be very difficult to move forwards and to adopt new technology. This effectively puts businesses in a state of limbo which will likely be exacerbated by the current economic conditions. But it could also make them more vulnerable. Attackers, funded by organised crime and nation states, will not be disadvantaged in the same way, meaning they are well positioned to exploit any slip in security. Indeed, a survey by the World Economic Forum found 60% think the skills shortage will compromise the security team’s ability to respond to a security incident.
Tech as an enabler
Automation in the form of machine learning is now beginning to make an impact and the hope is it will help to alleviate workloads. We’re seeing continuous monitoring solutions emerge in a number of different fields, from Cloud Security Posture Management (CSPM) for the cloud to Continuous Automated Red Teaming (CART) for security testing and compliance, for example.
In theory, these solutions should help by automating the mundane, freeing up professionals to use their intuition and giving them the time to learn new skillsets. At this moment in time its clear that that is not happening. Despite the investment in cybersecurity solutions, 82% of those questioned in the ISSA survey found their existing job requirements were preventing them from developing their skills so clearly there are still very high workloads that are acting as a barrier to progression.
We can also expect some convergence in the security space as solutions combine and prioritise third party integration and open standards. This should help to whittle down the security stack which currently averages between 20-70 point security solutions within medium to large organisations. Not only will this result in less systems to monitor but it should help modernise things so that professionals also stand to benefit from transferable skills which they can then use when they switch employers.
From a recruitment perspective, technology is helping to focus hirers on more than just certifications. There’s now a growing appreciation for soft skills and problem solving, making aptitude tests and video interviews now part and parcel of the recruitment process. But we have some way to go yet in reaching raw talent and convincing them to apply. Somewhat shockingly, a a survey of Generation Z (16-24) candidates revealed almost half thought the subjects they studied at school would preclude them from entering the profession even though they were interested in doing so.
Thus far it’s clear that technology has been focused on improving the security posture of the organisation but often at the expense of the workforce. Recruitment processes have been too narrowly focused with employers asking for too much experience. And candidates are either disillusioned or feel dismissed. Going forward, the hope is that technology will help to correct these issues and become the enabler that allows people’s careers to thrive and through automation will do the heavy lifting, encouraging them to remain in the sector.