For one filed cybersecurity professional position on the market in 2020, there will be at least three vacant positions. Often overworked, underappreciated and frequently blamed for a single failure and unacknowledged for successes, cybersecurity professionals tend to become ‘alien gem’.
Our reality: almost anybody can become a cybercriminal
In mid-May 2020, multiple supercomputers in European institutions were infected with cryptojacking malware, reported Panda Security. Due to these incidents, the organisations where these supercomputers are located have been forced to stop their research to investigate the intrusions. These incidents are further proof that cybersecurity is a key element in today’s world: not even the most advanced supercomputers are safe from cybercriminals, rightly concluded the same source.
Some time ago, hacking computer systems required a high degree of expertise, which necessitated lots of learning and exercising time. Moreover, the older generation of hackers had to spend months of testing systems and looking for weak entry points before the strike.
Things have drastically changed in the past decade. It is now sufficient to get on YouTube or enrol some of the Massive open online course (MOOC) and learn hacking skills. If you are not in a learning mood, there are faster ways to the hacking world.
The fastest and often cheapest way is to become a ‘script kiddie’: simply buy ready-made, off-shell malicious software form the dark web. For this, you need only access to the dark web and some cryptocurrency in their vaults.
For more demanding actions, there is a faster but more expansive way: you can pay someone else to do the hard work. Depending on the task at hands, established hackers or hacking groups will charge the agreed sum of crypto money.
No, we are not trying to persuade you to become a meanie hacker – it is illegal. We are merely pointing out to the enormous task faced by cybersecurity professionals.
The greatest cybersecurity threat: not enough qualified and skilled professionals
For one occupied cybersecurity position on the market in 2020, there will be at least three vacant positions. Cybersecurity Ventures’ prediction that there will be 3.5 million unfilled cybersecurity jobs globally by 2021, up from one million positions in 2014.
The World Economic Forum (WEF) recently observed that nowhere is the workforce-skills gap more pronounced than in cybersecurity. A few months ago, the Harvard Business Review stated that the majority of chief information security officers around the world are worried about the cybersecurity skills gap, with 58% of CISOs believing the problem of not having an expert cyber staff will worsen.
The Cybercrime Magazine reports that, according to the Cybersecurity Ventures forecasts, 100% of large global corporations (Fortune 500, Global 2000) will have a CISO or equivalent position by 2021 (up from 70% in 2018) – although many of them will be unfilled due to a lack of experienced candidates.
The MIT Technology Review indicated that out of four candidates who are applying for the cybersecurity positions only one is qualified. No wonder that there is a zero-percent unemployment rate in cybersecurity and that the opportunities in this field seem endless.
The impact of this skill gap is severe. Forbsrecently reported that 74% of companies, surveyed by them, stated that the skills shortage is impacting their business, including the ability to keep their information secure.
One of the factors underpinning skills shortage lies in the fact that cybersecurity is a challenging environment that requires highly trained and intelligent people ready to dedicate their time and energy 24/7/365.
Another factor is the burnout rate in this field. A CISO level report underlines that about 90% of security professionals suffer moderate to high levels of stress while 60% have trouble switching off and cannot easily disconnect their business stress from their personal lives.
Cybersecurity professionals simply must master stress management techniques if they are to have a ‘near-normal’ life.
Going from bad to worse…
On top of all cybersecurity industry problems comes the Covid-19 pandemic. A very recent Barracuda Networks report warned that over two-fifths (41%) of global businesses have cut cybersecurity budgets due to Covid-19-related financial pressures.
Adding to the problem, a recent Burning Glass study pointed out that technical training organisations do not supply enough cybersecurity professionals. In other words, the demand for cybersecurity professionals is outstripping the supply of skilled workers. Burning Glass reported that the number of cybersecurity job postings has grown 94% in just six years but not enough suitable candidates to occupy these positions.
The National Center for Education Statistics (NCES) shows the number of new cybersecurity programs has increased by 33%. However, the demand is growing faster as cybersecurity is now considered mission-critical in most organisations. The cybersecurity job postings have exploded.
Moreover, the retention of cybersecurity professionals is for a long time a major issue for employers. According to a recent McAfee survey, which included 950 cybersecurity managers and professionals at organisations with 500 or more employees in the U.S., U.K., Germany, France, Singapore, Australia, and Japan, 89% of respondents would consider leaving their roles if offered the right type of incentive!
The above figures are not encouraging, not at all. Is than everything doom and gloom? We at VM Advisory do not think so.
Working together as a solution
The security professionals are, often wrongly than rightly, blamed for the failure of organisational information security. As we witness, there are currently not even enough cybersecurity professionals ‘to be blamed’. Instead of the blame game, we should learn to work together and share responsibility.
As we recently suggested, it is important to understand that there are three general layers responsible for securing organisational digital future.
The first layer consists of information security professionals responsible to, primarily technologically, protect organisational informational assets.
The second layer represents the company’s IT department that is in charge of supporting the organisation’s business goals and operations.
Although indispensable for organisational functioning in the digital world, this second layer sometimes appears as a stumbling block between the top management and the security professionals. This is somewhat understandable as the IT function attempts to secure the permanent availability of technology to the business people, often neglecting security issues.
The third, enabling layer represents the group of business leaders, including managers and executives. This layer is responsible for strategies, policies and, equally importantly, the allocation of necessary resources for securing valuable organisational information resources.
By the roles those groups of people (layers) play, it appears logical that none of them can make an organisation digitally secure solely. Instead, only working together those people can make apt information security-related decisions.
In this regard, each of these groups should understand that cybersecurity is about recognising possible risks to the company’s informational assets and how to effectively address these risks together. In other words, only a synergetic action can produce a satisfactory security result.
At this point, it does not seem that the shortage of cybersecurity professionals will be eased in the near future. It also does not seem possible that technology (e.g. AI, machine earning, quantum computing) will sufficiently substitute human contribution to cybersecurity. Hence, we should learn to work together and share responsibilities to protect our digital world.