The cybersecurity skills gap continues to be a real issue, but there may finally be a light at the end of the tunnel. For the first time, the skills gap has decreased, according to (ISC)2’s annual Cybersecurity Workforce Study.
This study defines the skills gap as “the difference between the number of skilled professionals that organizations need to protect their critical assets and the actual capacity available to take on this work. It is not an estimate of open positions available to applicants.”
The good news is that there has been an uptick in people with the right skills for hire. More than 700,000 new cyber defense experts were added over the last year, putting the total number at 3.5 million. That 3.5 million number, however, is about half of the jobs still needing to be filled.
The bad news is that the number of job slots has decreased due to uncertainty during the pandemic. But there are skilled professionals out there if you know how and where to look.
Current State of the Cybersecurity Skills Gap
The pandemic showed the importance of having entry-level cybersecurity teams who can cover a broad range of problems, such as getting employees set up with virtual private networks and awareness training refresher courses. It also highlighted that having someone in-house, or on call, who can handle the more refined, more specific problems — in this case, cloud security — is key.
Those already in the field rose to the challenge last year to relocate their workforce from on-site to remote. Nearly a third of (ISC)2’s annual Cybersecurity Workforce Study survey respondents say they had only a day or less to make the transition and ensure the same quality of protection for employees and their employer. And, of course, the experts were also working remotely and had to make their own adjustments. As a result, just 18% of companies saw an increase in cyber incidents during the work-from-home period.
“Overall we’re seeing some very positive trends from the cybersecurity workforce reflected in this new data,” Clar Rosso, CEO of (ISC)2, says in a formal statement. “The response to COVID-19 by the community and their ability to help securely migrate entire organizational systems to remote work, almost overnight, has been an unprecedented success and a best-case scenario in a lot of ways. Cybersecurity professionals rose to the challenge and solidified their value to their organizations.”
The Value of Hiring for Cybersecurity Skills
Part of the problem is that business leaders don’t know what they’re looking for when it comes to hiring. They tend to look at cybersecurity skills as a one-size-fits-all need. They believe every single hire should be able to handle every problem. These leaders also often see all security problems as roughly the same. A data breach is a data breach and that’s all that matters. On the other hand, a skilled worker knows data breaches occur through many different attack vectors, and that sometimes what appears to be a data breach isn’t one at all.
Certainly, there is always going to be a role for the person who can handle day-to-day issues, and there will always be a need for new team members to tackle the more arduous needs. But when the person in charge of writing the job description and finalizing the hiring process — usually someone in the human resources (HR) department — doesn’t understand the different layers of the field, they risk bringing in someone who isn’t qualified. In fact, ISACA’s State of Cybersecurity 2020 report found that 72% of all cybersecurity pros believe HR doesn’t understand the company’s basic cybersecurity skills needs. That trickles down into overall best practices and defenses.
This old way of looking at digital protection is outdated. It’s time for employers to realize they have to bring in workers who understand today’s (and tomorrow’s) threats, tools, and the role cybersecurity skills play in business.
Why You Need People With Cloud Cybersecurity Skills
Cloud security is one of the fastest growing cybersecurity job skills, according to Burning Glass. The need for this specific skill is expected to grow by 115% over the next five years, and it offers about $15,000 more on top of the usual initial industry salary. There are a lot of jobs out there for someone with cloud skills, with nearly 20,000 job openings. While there are fewer job openings for this skill set than other rising security jobs, someone with cloud expertise is at the highest premium.
Cloud protection requires different skill sets than other similar positions, such as knowing the technologies behind cloud architectures, system configuration, identity management, virtualization and basic knowledge around using cloud-based security tools.
“For example, one of the biggest challenges of many cloud-based security tools is the time and skill required to properly configure and manage them, let alone adjusting those configurations to eliminate false positives, or to ensure they don’t miss critical events or drop legitimate traffic,” DevOps.com reports.
Look Beyond IT
Basic IT security teams don’t always have the skill set to handle misconfigurations and data leakage that occur in the DevOps process, despite DevOps’ continued importance to IT and business.
Cloud cybersecurity skills need to go beyond knowing the tech. The expert in this field also must be well-versed in rules and regulations. They must understand the most common frameworks, such as those from the National Institute of Standards and Technology and the Payment Card Industry Data Security Standard, and their company’s specific industry standards. It’s also their job to follow data privacy laws, protect the data in the cloud, keep their employer in compliance and build safeguards around the data and data access.
How to Find Cloud Experts
Needing to add someone with cloud cybersecurity skills to your team is one thing. Finding one is harder. As we said earlier, there is a high premium on cloud defense skills, not just because of their value in a cloud-centric industry, but also because people with these skills are so difficult to find in a job market where there is already a serious cybersecurity skills gap.
So how do you do it?
First, you can look in your own backyard. Just as employers recruit their newest security team member from within, you can also find and nurture a cloud defense expert from within your current IT or security team. If you already have someone handling your cloud IT or someone interested in gaining more specific skills, there are cloud security certifications available to begin the transition.
If no one in-house can tackle this role, look at the talent pool outside. Attend conferences to get a better look at the skills you need in a cloud defense expert, and network with people who can recommend skilled workers. Hire college interns and set them on a path for what you need. Searching for former military and law enforcement — people who understand risk assessment and maybe have an IT background — is an often-forgotten way to look for potential hires. You may not be able to find someone who has skill sets you need right now. But, if it is important to have a cloud security expert despite the cybersecurity skills gap, be willing to put the effort in for the training. Pay them what they are worth so you don’t lose them to a better offer.
Outsourcing or Hiring From Within
Another option is to turn to a managed security service provider (MSSP). This offers 24/7 coverage of your cloud and takes the onus of cloud defense off your people. However, it also gives you less control. Another option, which might work especially well for smaller businesses with heavy cloud computing usage, is to join forces with a group of businesses and share resources.
Finally, when searching, ignore the job title on the resume. Instead, look at the actual job duties and skills. HR and business leaders are the ones who come up with these titles, and they don’t always show the person’s actual job. Somebody may have the title ‘security operations manager’, but perhaps they were really working on cloud security operations. Don’t let the HR department or C-suite determine which candidates get passed along only because of their titles or minimal job descriptions.
According to (ISC)2’s report, 40% of the respondents say that cloud security is the most in-demand skill among organizations and cybersecurity teams. That’s because cloud computing has taken an outsized role in business today.
The person with the right cybersecurity skills for your company is out there. You may just have to be flexible and creative to find them.