There’s good news, and there’s bad news. The good news is that the number of cybersecurity professionals has reached an all-time high. According to (ISC)2’s annual Cybersecurity Workforce Study, 4.7 million people currently work in a security-related job.
The bad news: the study also found a worldwide gap of 3.4 million cybersecurity workers. 70% of those surveyed also said they think their organization’s security team is understaffed, decreasing its effectiveness.
As cyberattacks grow increasingly sophisticated and threat landscapes expand, organizations need to get creative in their cybersecurity approach. It’s not enough to reset the parameters on building skill sets. We need to start reimagining what internal cybersecurity programs should look like from the ground up.
Cybersecurity is all about people
Cyber skills shouldn’t just be reserved for experienced and well-trained cybersecurity professionals. While the security team is running the show, their job is primarily to focus on the technology side of things.
But most cyber incidents are the result of human error or ignorance about best security practices. Unfortunately, sometimes the workplace culture doesn’t encourage employees to come forward when they see or do something unusual. That helps threats slip under the radar until it’s too late.
Security best practices only work when everyone is a part of the solution. This is even more important in the context of our current cybersecurity staffing shortages. Doing more to make security an “all hands on deck” atmosphere will help close the skills gap.
Certification for beginners
One of the biggest hurdles in closing the talent gap isn’t a lack of people with the right skills, but rather unobtainable standards for employees just beginning their careers. Too many entry-level positions want new hires to have certifications like Certified Information Systems Security Professional (CISSP) or Certified Information Security Manager (CISM). However, most prerequisites for taking the certification exams include several years of job experience (many require five years), are expensive (costing hundreds of dollars) and are difficult to pass on the first attempt. Then, once someone achieves certification, they aren’t applying for entry-level positions.
This approach has kept out many potential cybersecurity professionals who are just beginning their careers. Recognizing the certification roadblock in the talent gap, (ISC)2 jump-started a new initiative called One Million Certified in Cybersecurity. Participants enroll as an (ISC)2 candidate, where they will get free training in a self-paced course and a free exam opportunity. Once certified, the participant will have access to the professional development opportunities and resources that other certified professionals have. While the overall objective is to increase the available skilled labor needed in entry-level positions and beyond, it is also an opportunity for more people to explore a cyber career without spending thousands of dollars. Most importantly, it should offer employers confidence when bringing in less experienced talent.
“Employers need confidence that when hiring new entrants into the field they have a solid grasp of the right technical concepts, and a demonstrated aptitude to learn on the job,” (ISC)2 asserted, adding that with the creation of such a certificate, it will enable job candidates to “demonstrate to employers their familiarity with foundational cybersecurity concepts as determined by cybersecurity professionals and practitioners already in the field.”
Rethinking security awareness training
Security awareness training doesn’t work. A study from Elevate Security found that, while security training does slightly lower phishing click rates in simulations, it has little to no effect in real-world attacks when that training really matters. Periodic online quizzes or annual lectures aren’t moving the needle.
A different style of training may make a bigger difference. When users understand the consequences of their actions and how to decrease risk, they become partners with cybersecurity professionals. The goal is to reduce human-caused incidents so the security team can focus on the tech side of the job. But first, users need to be better engaged in their awareness training activities.
During the Insider Risk Summit, the Head of Trust Culture and Training with Atlassian, Marisa Fagan, said that training should be fun. When training is enjoyable, employees feel like they are a part of something important to the company. According to Fagan, effective security training should be relevant and fast-paced and add an element of storytelling. You want to have employees talking about the session and sharing what they learned in casual conversations.
Fagan suggested training films that are actual movies; they have an action film’s drama and excitement but are tailored to highlight your organization’s security concerns. They’re much more engaging than a PowerPoint presentation, and that makes the training stick.
Changing behavior to bridge the gap
Reframing cybersecurity while dealing with a skills shortage will involve changing overall behavior. Just as security awareness training must be encouraging in order to be effective, enforcing security best practices will rely on user experience. You want users to reach the point of making better decisions and regularly doing the right thing, according to Ira Winkler, field CISO and vice president with CYE, who spoke at the 2022 (ISC)2 Security Congress.
Security teams can take steps to embed cybersecurity into job functions and modify IT interfaces to encourage behaviors that reinforce good security habits. Overall, employees should be “caught” doing the right things and rewarded for it, rather than punished for doing the wrong thing.
The skills shortage is not going to disappear overnight. However, with steps such as improving security awareness training or accepting beginner certifications as an entry-level qualification, organizations can adjust their approach to their cybersecurity posture and build a foundation that supports the cybersecurity team.