- The worsening cybersecurity talent shortage has resulted in increased workloads for cyber teams, unfilled vacancies, and high levels of staff burnout.
- 71% of global cybersecurity professionals surveyed earlier this year said their organizations were affected by a cybersecurity skills shortage.
- Increased pay and continuing education opportunities are one way to attract and retain cyber talent.
Sakhon Sukkasem Sakhon | iStock | Getty Images
The cybersecurity skills shortage has existed for years, but the situation is getting worse as more companies cite the problem.
Nearly three-quarters (71%) of IT and cybersecurity professionals worldwide were surveyed earlier this year, according to a report by research firm Enterprise Strategy Group (ESG) and cybersecurity professional organization Information Systems. of respondents say their organizations are affected by a cybersecurity skills shortage. Security Association. This is a significant increase from the 57% who cited the skills gap in a study published by ESG in July 2022.
Survey respondents say the deepening talent shortage is leading to increased workloads for cybersecurity teams, unfilled job openings, and high levels of staff burnout. Almost all respondents said the cybersecurity skills shortage and its consequences have not improved in recent years, with 54% saying it has gotten worse.
“It certainly happened, but [rise] John Olczyk, Distinguished Analyst and ESG Fellow: “We need staff for this,” he said.
So what can companies do to attract more cyber talent when there are so few experts?
Artificial intelligence, especially generative AI, could play a growing role in alleviating skills shortages.
“CISOs cannot hire their way out of the skills shortage, so they must rely on three things: process automation, advanced analytics, and managed services,” Olczyk said. “Generative AI has the potential to be useful in all three areas.”
Generative AI can also aggregate security data, suggest next steps for enhancements, and perform automated actions when configured to do so, Olczyk said. “This increases staff efficiency and productivity,” he said.
Gen AI can also piggyback on analytics engines to assist security analysts in areas such as alert triage and security investigation, Olczyk said. The technology can also help train cybersecurity analysts, he said.
“Things to note [gen AI] “Security is still in its infancy and has not been widely adopted,” Olczyk said, adding that “many CISOs I spoke to remain skeptical and take a more pragmatic approach to adoption. We are making plans,” he said, adding that this could change over the next 12 to 18 months. .
“As a cybersecurity expert, I urge organizations to be very careful when using generative artificial intelligence and to ensure that they can use any form of AI or machine learning that is considered a mature product or solution. ” said immediate past president Candy Alexander. From ISSA International, he is the CISO and practice director of NeuEon LLC, a business management consulting firm.
Gen AI and large-scale language models “are still in their infancy and are known to have biases,” Alexander said. “Imagine the possibility of manipulating some of it. [gen AI applications] Also includes LLMs with corrupted knowledge pools. ”
Still, there is potential for profit. “I think this is an area to watch and perhaps experiment with,” Alexander said. “It’s difficult to verify [gen AI] At this point it’s an LLM. It’s like the Wild West now. ”
Some people now favor AI as a solution.
“Generative AI could help organizations fill cybersecurity skills and talent gaps through on-the-job training and virtual team members,” said Jason Shockey, senior vice president and CISO at mortgage servicer Senlar FSB. ” he said.
Shockey says this is a common scenario where an organization has an inexperienced member of its cyber team. Cybersecurity trainees require hours of coaching and mentoring to be effective and successful. In some cases, senior team members are unable to lead because they have to focus on their own tasks and defer to less experienced employees.
“Generative AI can be leveraged to increase the knowledge and work rate of less experienced people by completing repetitive tasks and uncovering knowledge blind spots, such as job aids and virtual cybersecurity mentors. It could be possible,” Shockey said.
Shockey said generative AI can also be used as virtual team members in the event of a talent vacancy. “For example, an organization’s cyber team just lost its chief security architect and is finding it difficult to fill that gap,” he said. “Teams can close that gap by having generative AI evaluate data and review architecture from a security perspective. In other words, they can treat generative AI as a virtual member of their cyber team. Masu.”
Another thing organizations can do to attract more security talent is to make the jobs they have to fill more attractive to candidates. A good place to start is with payments. 59% of ESG survey respondents cited increased compensation as a way to become more competitive for talent, “so it’s clear that security professionals are often underpaid,” Olczyk said. Stated.
In addition to money, organizations can also offer to pay incentives such as certifications or travel/expenses to industry events. Olczyk said the survey showed that professionals want continued training and career development.
Human resources teams and recruiters often offer unrealistic job requirements for cyber-related jobs, Olczyk says, such as entry-level positions that require five years of experience. “We believe it’s important for security professionals to cast a wider net, find talent with strong analytical and problem-solving skills, and train them accordingly,” he said. .
Casting a wider net involves looking beyond security professionals and more broadly inside and outside your organization.
“To maximize your organization’s potential to close the cyber talent and skills gap, you need to engage everyone within your organization. [organization] We need that,” Shockey said.
“With a wider cast, it’s easier to find the cyber talent we need,” Shockey said. “If you have a small number of existing employees, that’s fine. Organizational Security offers an opportunity to evaluate and match a strong external candidate to see if he’s a good fit for your team.”
CISOs and other cybersecurity leaders must ensure that executives understand the importance of acquiring the necessary skills.
“There seems to be a disconnect in security strategy” within the organization, Alexander said. She says company leaders don’t fully understand the capabilities of cybersecurity or the skills needed to fill positions or simply keep up with technology.
“It’s like when fighter jets are updated every few years and the pilots aren’t trained [or] Alexander said it’s important for business leaders to have ongoing conversations with cybersecurity leaders, and for cyber leaders to communicate in business terms with business leaders, including human resources.