The lack of cybersecurity talent is nothing new. It’s a problem that all businesses have been facing for several years and it’s getting worse. There have been many proposals on how to narrow the gap, but so far all efforts have been futile. Let’s have a look at what is causing the gap, what can be done to narrow it, and what we believe are the best ways to effectively combat the shortage of cybersecurity skills.

Step 1. Accept the cybersecurity skills shortage

Industry analytics have predicted that in the next years the gap is still going to widen, as it has been already since before the pandemic. While certain strategies of narrowing the gap might prove effective in the long run, it doesn’t seem like anything can be done in the short term.

There are several reasons why the gap is widening:

  • While IT technologies are already the backbone of a business, they are still developing and growing. More and more organizations of all sizes are adopting IT for more and more purposes with cloud technologies making it much easier. Therefore, the number of assets to protect keeps growing quickly, and so does the number of cybersecurity job openings, especially in the field of cloud security and web application security.
  • Criminals are finding new ways to exploit the lack of IT security and they’re learning how to benefit from it. A few years ago, cybercrime was mostly perceived as the focus of small operations but it is increasingly adopted by major criminal organizations. This means that the risk of a cyberattack is greater, especially for major enterprises and institutions.
  • When businesses grow, so does the complexity of their systems. This means that not only are there more assets to protect but they are more difficult to protect.
  • Work is often very stressful for cybersecurity professionals. Cybersecurity roles come with great responsibility and a lot of uncertainty because you can never protect systems against every possible type of intrusion. When a breach occurs, it’s usually the security professionals that are blamed, not those who are responsible for the root cause of the problem. A large portion of the talent shortage is caused by the burnout of existing professionals.
  • Due to the nature of their work, those working in the cybersecurity field often prefer to freelance in the private sector instead of joining major organizations, especially in the post-COVID era, when remote and freelance work is even more common. On the other hand, major organizations are not always comfortable with trusting someone who is not part of their culture with something as important as security.
  • Cybersecurity is difficult to learn, so the talent pool is limited. It not only requires an excellent understanding of IT and extensive skill sets including development and administration but an inquisitive and creative mind with diverse talents and the ability to think outside the box. There are not that many people in the world who can handle it.
  • Cybersecurity has not yet been adopted by enough educational institutions. There are just a few four-year degree cybersecurity programs, both in North America and elsewhere, preparing for cybersecurity careers and cybersecurity education often begins too late, while it could already begin even in high schools – an ISC training/certificate at work is not enough to become a cybersecurity expert. Even worse, the cybersecurity talent gap also affects educational institutions because there are not enough experts willing to teach others.

Step 2. Improve awareness and educate

Some businesses attempt to narrow the gap by retraining their IT professionals. While there is a chance that some employees with technical skills may be able and willing to take on cybersecurity positions, they still need to have someone to teach them. Most cybersecurity experts today are self-taught and there is very little that an organization can do to help because the availability of security certifications is also limited.

However, the real problem is that organizations often perceive cybersecurity as something that only the dedicated cybersecurity workforce should deal with. This perception is the cause of several problems mentioned above, for example, the high level of stress and burnout for cybersecurity staff. Security teams often work alone and the rest of the organization is not aware, not educated, and worst of all: does not feel responsible for security.

Therefore, the key to narrowing the gap is to look at cybersecurity as everyone’s problem. Developers, administrators, DevOps, QA engineers, and even non-technical personnel should be aware and educated.

  • Organizations should introduce basic cybersecurity training for everyone in the company, for example, to combat malware, phishing/social engineering, and ransomware attacks. You should make such training part of a regular business schedule, not just treat is as a one-time onboarding activity or an occasional initiative.
  • Your cybersecurity team should include more educators. When you search for new talent, make sure that the candidates are able and willing to provide training.
  • Every developer should have basic training on how to avoid security vulnerabilities in code and be held responsible for such problems as much as any other bugs.
  • Every QA engineer should know how to use tools to verify cybersecurity. Tools such as vulnerability scanners should no longer be in the hands of a separate security department but treated the same way as, for example, Selenium.
  • Every DevOps engineer should know about security tools that can be used with CI/CD systems, such as DAST and SAST scanners, know how to configure them, and include them in all pipelines.
  • Every project manager, every product or service owner, and every team leader should treat cybersecurity problems the same way other bugs are treated and prioritize their remediation in sprints.
  • The organization must realize that the earlier you start caring about security by assigning the right budgets to preventive initiatives, the less likely it will be that you will have to spend much more on incident response.
  • Finally, every executive should be aware of the importance of information security and cybersecurity in general, not just the CISO. Executives should also understand the threat landscape, for example, they should realize that insider threats are just as important as external cyber threats, and internal business assets and information systems need as much protection as public ones.

Step 3. Embrace the outsiders

The biggest IT leaders in the world are setting an example that should be followed by every organization. Companies such as Google, Facebook, Apple, and Microsoft all have bounty programs for security bugs. If they can trust outsiders with their systems, so can you.

Bug bounty programs have several advantages:

  • You can reduce the need for internal security testing. Freelance white-hat hackers will gladly perform penetration tests of your systems just to get the bounty.
  • You can improve the way that your business is perceived in the IT community. If you are bold enough to offer a bounty for finding a bug, it means that your company has confidence in its security stance.
  • If young, independent free-thinkers have a way to effectively make money on their skills without compromising their preference for independence, fewer such young people will turn to the dark side and become cybercriminals. Therefore, bounty programs effectively take away resources that otherwise could strengthen criminal organizations.

However, you must remember that having a bug bounty program on its own is not enough. You need to responsibly disclose vulnerabilities and you need to prioritize fixing bounty-related security issues. If not, white-hat hackers will often publicly release the details of your vulnerability just to give you an unpleasant nudge in the right direction.

Many data breaches in recent years could have been avoided by major organizations if only those organizations had a bounty program and worked together with hackers instead of fearing them. Unfortunately, many businesses still think that if a hacker contacts them about a vulnerability that they found, that hacker is a “bad guy” who should be reported to the authorities and their bounty request is a “ransom demand”. With such a mindset, a lot of hackers become cybercriminals even if their intentions were good.

Step 4. Promote automation and integration

The cybersecurity industry is still a bit behind the trends and a lot of tools are still created with dedicated security specialists in mind. Such tools are difficult or even impossible to use in complex environments, for example, as part of a DevSecOps (or SecDevOps) environment. This can be a major problem for organizations that seek to use the methods mentioned above to lessen the impact of unfilled cybersecurity jobs.

A cybersecurity solution, no matter whether it’s web security or network security, should no longer be a tool for a dedicated team. Their primary user should not be the security analyst. A modern tool should be designed as follows:

  • Developers should not be forced to use a dedicated tool. For example, if they are to fix a security-related bug, they should use their regular issue management system just as they do with any other bug. Therefore, the cybersecurity solution should be fully integrated with such an issue management system and not require the developer to log in to a different tool to manage the issue.
  • QA engineers should not be forced to perform manual security testing using dedicated tools. They should include security tests in their regular suites performed automatically as part of the SDLC.
  • DevOps engineers should be able to easily integrate security testing in CI/CD pipelines, just as they do with any other type of test. They should not spend too much time configuring the security tool.

A modern security tool for the enterprise should be invisible to most users. You can only achieve that if the tool is designed to be automated and integrated as much as possible within even the most complex environments. And building such a tool is exactly what Invicti/Acunetix are doing to have our “five cents” in closing the gap.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.