“Help, we’re struggling to find the people we need!” A never-ending story we hear about all the time. In layman’s terms, we’re facing a cybersecurity skills gap.
We’re becoming all too aware of the gap between the skills we need and the resources we have. Businesses are competing with each other for skills, but in some cases with criminal groups. Yet, is this a problem of our own design? With organizations having dozens, if not hundreds, of security tools, each needing their own personnel to look after them, of course, we don’t have enough people to go around. We’ve become victims to the battery of products we think are going to save us from ransomware.
The truth is, every new product you purchase is dividing your resources further. We need to change our mindset away from resource-intensive, multiple-product security teams and focus on giving teams the tools and the time they need to be effective. In many cases, systems and tools are deployed without utilizing their full capabilities. They’re long forgotten by the time you need them, and something new is purchased.
Multiple tools provide a warm sense of security, but backups are still the most important defense against ransomware. Bad actors will continue to attack, so growing the security workforce is a continuous endeavor. However, how exactly do we entice young people and mid-level professionals to jump onto the cybersecurity ship?
It’s Not All Technical, but if You’re Interested
The fundamental problem of the shortage is that whenever we are training staff in specific products, rather than wider security frameworks, they aren’t getting the transferable skills they need to survive growing cyber-threats. This ultimately means that even the most experienced security professionals are spending most of their time dealing with attacks instead of planning for the future.
Every person working in cybersecurity today started somewhere, and the amount of learning material currently available surpasses what was around when many of us started out. Enticing the right person to one of these outlets can spark a flame that can burn through an organization faster than anything else. When you ignite a passion, you ignite something deeper, and aiding these individuals in manifesting their talent can only benefit your organization.
There needs to be a new narrative that cybersecurity is not only about having technical prowess because many roles don’t require a high level of technical expertise. These positions are a great stepping stone into the industry for those who lack the core technological know-how you might expect when you think of a “cybersecurity expert” and provide valuable insights and input to the security teams.
Organizations love silos, but what happens when larger strategies overlap silos, technologies and outcomes? For this again, we point to people. Brushing aside traditional structures in favor of an outcomes-based approach would not only empower the right people but also reduce your expenditure. By building a reputation that you support your staff, you do things away from the status quo and provide the tools needed for growth which, in turn, entices new staff. This seems like a win-win to me.
Skills shortage? No. The skills are right under our noses; we just need to utilize them more effectively to succeed.
People Will Save Us, Not Products
While I would never suggest you remove all of your security tools, I would also recommend that you don’t solely rely on them. Those solutions are ultimately in place to protect your systems should something happen. The answer to cyber-resilience isn’t a preventative solution; it’s one that acts as a line of defense for when the worst happens. After all, what’s the worst outcome of an attack? What about paying the attacker or the disruption to your operations? I’d argue the latter. At the core of your cyber-resiliency are your people. If you can focus on the few tools to protect your data, you can focus your energy on giving your teams the time, training and resources they need for success.
With all of these things in place, the skills gap will no longer seem as daunting. We’re so busy focusing our energy on prevention that we’re putting the teams who need the most help at a disadvantage. An over-encumbered expert is no expert at all. When you eventually decide that coaching and maturing them is important, they will then utilize their abilities to their best capacity.
With the right mindset supported by the right solutions, leadership and people, resilience can be achieved, data can be protected and the question of paying or not paying a ransom can become a thing of the past.