Overcoming the Cybersecurity Talent Shortage
September 23, 2021 James Chia
In News

Overcoming the Cybersecurity Talent Shortage

The need to guard against cyberattacks has never been so clear as in recent times. This has been driven home by reports of multiple ransomware attacks, with a recent one targeting 800 to 1,500 small businesses worldwide, spyware on mobile phones, and the growing awareness of the cybersecurity risks from working remotely or from home.

As organizations respond to that need, however, they find themselves facing another need: the need for cybersecurity professionals.

The shortage of cybersecurity professionals is real, and is expected to worsen. A 2020 Cybersecurity Workforce Study by the International Information System Security Certification Consortium, or (ISC)², found that the cybersecurity workforce is facing a shortage of more than 3 million workers – most of that in Asia Pacific.

To get a better understanding of this shortage, I spoke to Sriram Iyer, Founder and CEO of hrtech.sg, a Singapore-based HR Tech advisory firm specializing in identifying HR technology solutions and resources for enterprises.

Sriram said that he was seeing at least 3 times the number of open cybersecurity positions than there were available candidates for such positions. The situation is particularly acute in Singapore, where the difficulty in finding suitable candidates, especially for senior cybersecurity positions such as Security Architects, has led to security jobs moving out of Singapore to other locations like India in the past 1 year.

“That is not to say that places like India do not have their challenges in filling such positions,” said Sriram. “Challenges are there everywhere when it comes to talent attraction and fulfillment, it’s just that positions are relatively easier to fill in some of those countries where the talent supply is larger compared to Singapore.”

He goes on to explain that broadly speaking, there are 2 types of cybersecurity professionals that organizations are looking for:

  • The Generalist, with a broad knowledge of the cybersecurity domain
  • The Specialist, with deep expertise in a particular aspect of cybersecurity

The Generalists are usually sought by smaller organizations to handle almost all aspects of the organization’s cybersecurity defenses. They are also sought by Systems Integrators who offer cybersecurity solutions and services.

The Specialists, on the other hand, are usually sought by larger organizations to handle specific areas of the organization’s cybersecurity defenses, such as in Information Security, Network Security and Data Center Security. They are also sought by larger Security Consulting firms and Security Operations Centers (SOCs).

While there is a shortage of both types of cybersecurity professionals, Sriram believes that the shortage will only get worse for Cybersecurity Specialists. “IT and other professionals can upskill themselves and be trained as Cybersecurity Generalists, but it is harder and takes longer to be a Cybersecurity Specialist in say Information Security or Cloud Security,” he said. He noted, for example, that the current shortage of cloud professionals makes it that much more difficult to find a Cloud Security professional. Other roles for which Singapore enterprises are struggling to hire talent include DevSecOps and Risk Compliance Specialist roles.

Looking ahead, Sriram felt that the situation will get worse globally, though it would be difficult to say by how much and in which areas. He also felt that more organizations would demand their cybersecurity professionals to be certified. With not that many cybersecurity professionals currently having security certifications, and with the continued and growing shortage of such professionals, we can expect those who are already in cybersecurity to be upgrading themselves, and those from other professions to be upskilling themselves to join the ranks of cybersecurity professionals.

Such upgrading and upskilling, however, may not solve the shortage of Cybersecurity Generalists and Specialists that organizations face. Sriram explained that there would always be Cybersecurity Specialists who would want to move out of regular employment and become independent consultants as it is very lucrative especially from a remuneration perspective. And among Cybersecurity Generalists, while the junior professionals would generally want to remain permanently employed, the more senior professionals also aspire to be such independent consultants. “The gig economy is not just confined to the likes of Uber and Grab, but also extends to cybersecurity,” noted Sriram.

Does that mean that organizations should lose all hope and abandon their plans of filling their cybersecurity positions? Or that you must lower the cybersecurity expectations of your IT infrastructure? Not at all.

There are some things you can do, such as those suggested in “How to Address the Cybersecurity Talent Gap”:

  • Review your Hiring Process, including getting security experts involved
  • Set up a comprehensive mentoring model
  • Recruit existing employees

But rather than address the shortage of cybersecurity professionals, we need to address the underlying reason why we need such professionals in the first place, which is to keep IT secure. In this regard, once you realize you may not be able to fill all your cybersecurity staffing needs, it is important to know what can be done to ensure the security of your IT with the staff that you have.

Here are some suggestions on what you can do.

Firstly, we need to help our existing cybersecurity professionals do their jobs better. We can do so by giving them the right security solutions and tools that will help them quickly and easily identify and remedy IT security gaps or cyberattacks. We should also invest in training and developing them so that they will be aware and know how to handle the security for new areas that your business and IT expands into, as well as manage new and emerging threats in existing areas.

Secondly, we need to provide our existing cybersecurity professionals the help that they need. The cybersecurity domain is vast and continues to grow, and we cannot expect them to know and to be able to handle everything. We need to identify where we are lacking, be it Cybersecurity Generalists or Cybersecurity Specialists and in which areas, then seek external help, whether from Security Consultants on an ad-hoc basis, IT security vendors on a project basis, or Managed Security Service Providers (MSSPs) on a continuing basis.

Thirdly, we should engage with and collaborate with others in our industry. The security issues you face are not really that unique! Other organizations, especially those in a similar industry, face the same issues too. As we share our cybersecurity challenges and what we did to overcome them, we can learn and pick up ideas from each other that would be helpful to us. Who knows, we might even come to a point where we might help each other out and share resources in specific times of need, or work together to manage a common cybersecurity threat. We need to start somewhere to build trust in engaging others – joining an industry association would be a good place to start.

The shortage of cybersecurity professionals does not mean that your IT security must come up short too. By taking steps to alleviate the shortage of staff and having measures to compensate for the shortage, you can have the secured organization that you want.

Comments (0)

Leave a reply