To start building solutions to the skills gap problem, it is key to look at it in all its dimensions.
The debate around the cyber security skills gap continues to ride fairly high on the security industry’s agenda, but to start building solutions, it is key to look at the problem in all its dimensions.
The cyber security skills gap problem has its origins in three interlocking factors:
There is undoubtedly a growing demand for cyber skills, rooted in long-term trends towards the digitization of many industries and the avalanche of cyber-attacks we have seen over the past 10 years, both aspects greatly amplified by the COVID crisis.
Many organisations – large and small – which never had an infosec function before now have one or are building one. Many organisations which didn’t know what a pen test was are now doing those regularly. We need far more cyber security analysts, developers, testers, managers than ever before; and education and training programmes are struggling to keep up with the growth of the demand and the diversity of the roles.
But you cannot end the analysis at this point and conclude that the solution lies entirely in attracting and training more people. Because the problem has at least two additional dimensions you also need to act on:
Many large organisations tend to respond to the growing cyber security emergency by scaling up legacy operational processes and with the perpetuation of a culture which believes that the solution of all cyber security problems is technical in nature and requires more tools. This is fuelled by countless tech vendors and large consultancies, but also by many CISOs being technologists by trade and by background and hopping from job to job, carrying with them the same technical recipes. This has led to a proliferation of tools – poorly integrated, often partially deployed or implemented – which simply embeds manual steps within security operational processes in many large firms and dramatically increases their demand for resources and skills.
This is also attritive in nature, in particular at analyst level and in many entry-level cyber security roles because it results in jobs which are excessively repetitive and boring, with limited career development options. So, attracting and training more people is key to fixing the cyber security skills gap – certainly in the long run – but if you can’t keep them in the industry because you give them boring jobs to do and no career path, this has the potential to become a self-perpetuating problem.
To break this cycle, and in parallel to increasing long-term efforts around training at all levels, the security industry must look at the mid to short-term, accelerate on automation and tools integration and focus on decluttering legacy tooling landscapes and operational processes, to give fewer analysts more exciting jobs where they can develop more and bring more value.
It is certainly more difficult for CISOs than just hiring more people but jumping straight at AI-driven solutions – which may be immature or over-hyped – is not the answer either, but just the continuation of the same tech-driven obsession which has led to the proliferation of security tools in the first place.
More than ever, the key to drive a successful decluttering and automation project around cyber security is to keep things simple and focus on people and process first, then technology.