Does the future of cybersecurity lie in tools or talent?

The cybersecurity industry has a serious staffing shortfall, but can the gap be filled with tech?
28 September 2020
  • Many believe that outsourcing cybersecurity or procuring the right technology can help overcome cybersecurity skill shortages, stress and burnout
  • The key remains to equip your IT and security teams with the education to use these tools effectively 

There’s a serious shortfall in the number of skilled cybersecurity staff across companies, industries, and even nations. With cybersecurity incidents perpetually rising, this shortfall is a critical vulnerability, and new solutions are needed to build the cybersecurity workforce the networked world necessitates.

One McAfee survey reached out to businesses of varying size across Australia, France, Germany, Israel, Japan, Mexico, the United Kingdom (UK), and the United States (US) – each of which has different educational systems, income levels, and political structures. More importantly, still, these nations have distinct and varied cybersecurity postures. And yet, every country deemed the demand for qualified cybersecurity professionals to be outpacing their supply of such staff.

The McAfee report highlighted some interesting points:

  • 82% report a shortage of cybersecurity skills, with 76% lamenting the government’s lack of investment in cybersecurity talent
  • One in four say that their organization’s insufficient cybersecurity has damaged its reputation and led directly to the loss of proprietary data through a cyber attack
  • 90% of respondents believe cybersecurity technology can help compensate for skill shortages

Source: McAfee Report: Hacking the Skills Shortage

The usual suspects crop up in the form of greater need in governmental policy and spend, enhancing cybersecurity education and diversifying the workforce, from academia upwards. But what other ways are there to bolster cybersecurity as a profession?

Can gamification help a staff shortage? 

One readily-adoptable change is gamification, including capture the flag exercises and hacking competitions. These can help identify talent and cultivate greater cybersecurity skills/presence within an existing workforce. This cross-skilling or up-skilling may be one way of negating job absences, as enterprises can employ from within, based on exercise successes, knowledge, and proficiency.

Technological improvements can reinforce cybersecurity skills, sure. However, 41% of respondents believe compatibility with pre-existing systems will be important when adopting new technologies, so to boost in-house effectiveness or even find the right partner, you need to have the groundwork laid.

Acquisition and implementation costs (as set against the cost of an attack) and technological effectiveness are other elements that impact the procurement of the right tech. A skilled, trained workforce will still be required to integrate, deploy, and run cybersecurity technologies.

It’s little wonder that as a result of these nuanced considerations, many of McAfee’s respondents (and a trend observable more broadly) are moving to outsource cybersecurity on a greater scale. The solutions most likely to be outsourced are ones that lend themselves to automation and include threat detection (i.e. networking monitoring and access management).

Too many tools? 

According to a study by IBM, overinvesting in cybersecurity tools to compensate for limited skills or understaffing can actually hurt corporate defenses. Companies that use more than 50 cybersecurity tools scored 8% lower in their ability to mitigate threats, and 7% lower in their defensive capabilities compared to other enterprises employing fewer toolsets.

Again the crux of the issue lies with the people – if cybersecurity personnel are not sufficiently skilled or thin on the ground as they are, how are complex and fragmented cybersecurity tools going to be deployed adequately?

Although companies that invest in cybersecurity tools have increased by 18% in the past five years, many of these same companies are reporting they are 13% less effective at containing active threats.

Investment is still important, but the coronavirus pandemic has revealed which companies have cybersecurity protocols and safe remote work policies, and which ones are scrambling to get their act together.

Remote working 

The push to work from home during the coronavirus pandemic is straining cybersecurity professionals the world over; those tasked with ensuring workers are able to not only work efficiently from remote locations — but to do so safely – are under pressure. With attacks on the rise (and targeting the vulnerability of disparate teams), what tools are there to help companies cope?

Working with an endless list of suppliers, a ‘spray and pray’ cybersecurity tool investment tactic might be effective against untargeted, generic attacks, where attackers have made little effort to research their victim. However, it will unlikely stand the test of time as threats become more sophisticated and will prove a costly measure, particularly in smaller companies where the security function must justify its overheads.

Threats are becoming more sophisticated, so finding the right combination of essential tools and tech is priority number 1. Priority number 1.1 is ensuring that you have the employees and the expertise to maximize the effectiveness of such tools.