The challenge of addressing the IT and security skills gap
In the first of a two-part series, Jonathan Meyers examines the issues surrounding the security skills gap that companies must contend with due to limited budgets, training and more.
The overarching theme from this year's cybersecurity awareness month was, "Do Your Part. #BeCyberSmart," and this year's challenges presented by COVID-19 only validated what security professionals have long been stressing when it comes to security best practices. With the remote workforce continuing to grow, securing devices that were not previously considered from a security perspective is more important than ever before. However, we must not forget the most important security device of all: people.
As important as secure devices are, they're only as good as their human operators. More often than not, organizations either overlook this aspect of security or actively ignore it. In order to increase their security posture, organizations must understand that there's currently a massive gap between the skills they currently have and the skills they need moving forward. As such, a recent survey of more than 800 industry professionals of varying experience dove headfirst into assessing and addressing skills gap challenges.
Acknowledgement of the cybersecurity skills issue
The first step to solving any problem is to acknowledge that it exists. In years past, organizations big and small just waved their hand when it came to security issues, believing they either had enough resources or it didn't apply to their business. According to the aforementioned survey, nearly three out of four professionals routinely encounter skill gaps on their current teams and two out of three also recognize that these gaps limit their teams' effectiveness. So, why is there still such a divide between the supply of open positions and demand for security and IT professionals?
For starters, it's hard for organizational leaders to upskill their employees when they're so far underwater with current challenges, including the increasing cyber attacks on the remote workforce. This is particularly true for organizations with limited resources. This challenge, coupled with the fact that most employees tend to wait for permission versus taking initiative themselves, often results in security slipping through the cracks until it's too late to address.
Budgetary constraints
Skills gap challenges also persist because there's been a lack of organizational funding for security training. Referencing the survey from earlier, more than a third of respondents admitted that their respective organization either decreased their training budgets or had no training budget at all. Another third also cited cost as one of the primary barriers preventing security and IT professionals from getting the skills development training they need. But at the same time, it's extremely difficult to prove the value of security unless an organization has suffered a data breach or cyber attack.
On-premises vs. remote workers
Properly addressing these issues is much more challenging due to the ongoing pandemic forcing employees, departments, and even entire organizations to conduct work remotely. Even though many business processes aren't dramatically affected by this shift, training and learning have completely evolved.
Early on, security and IT teams were stretched so thin fighting traditional fires as organizations adopted the fully remote work model that they were forced to delay upskilling efforts on long-term issues. Also, prior to the work-from-home era, security and IT training often happened in a physical group setting. This allowed team members to "whiteboard" or interact in person to promote engagement. Now, this is nearly impossible to replicate on video conferencing platforms. Body language is impossible to read, and "Zoom fatigue" is affecting everyone.
Vetting, hiring and onboarding
Another challenge that has compounded the skills gap has been the failure of organizations to properly vet applicants and adequately onboard them. The biggest pain point for hiring and onboarding security positions is vetting the vast number of different skills new employees might have, especially when organizations often don't know the correct skills to look for in applicants. Also, once a new hire is finally onboarded, the provisioning of access for tools to perform job functions is time consuming and involves jumping through unnecessary hoops. Not surprisingly, the survey discovered that almost half of organizations do not confirm new hire skills for specific roles, and two out of five rarely or never assess the skills of newly onboarded team members.
Finding the right prescription
Assessing and addressing the security and IT skills gap is much different today than it was just six or even three months ago. Going an entire week without seeing a fellow colleague or being solely focused on fixing old problems is going to have a significant impact on almost everyone at an organization. But everything isn't all doom and gloom. There's also a handful of quick and easy fixes that organizations can implement in order to give them the opportunity to pursue long-term solutions.
About the author
Jonathan Meyers is the head of IT and a principal infrastructure engineer at Cybrary. He is responsible for designing, maintaining and securing all corporate infrastructure including the security enablement platform supporting over 200 companies and 2.5 million users worldwide. He previously worked as a senior DevOps and senior operations engineer at Forcepoint (formerly RedOwl Analytics) where he oversaw the operations and deployment of its hosted and on-premises UEBA e-surveillance product. Meyers holds an information technology degree from The U.S. Military Academy at West Point.