By this
point, every organization that needs a skilled team of cybersecurity
professionals knows about the skills gap. Companies in all industries are
fishing for the freshest cybersecurity talent in a shrinking pond of potential
candidates: The latest (ISC)2 Cybersecurity Workforce
Study found that the U.S. alone faces a
shortage of 500,000 positions. Meeting that demand would mean a 62 percent
increase in available cybersecurity professionals. When looking at the global
workforce, that number is a staggering 145 percent.
The
skills gap creates problems for those responsible for managing security teams
(security managers, directors and CISOs). While out-of-the-box approaches—like
hiring talent with non-security backgrounds to learn security skills on the
job—open up more possibilities for solving this problem, companies can find
additional ways to boost their teams without adding headcount.
Hiring alone isn’t the only option to
fill the skills gap. Sure, you want to find top
talent with the best experience, but there are three other methods for closing
the skills gap that you can implement in the meantime.
Let Managed Services Pick Up the Slack
Outsourcing some of your core security
tasks to a well-established managed services provider instantly augments your
security team’s capabilities. You can do this by selecting one pillar of your
cybersecurity strategy—such as vulnerability management, compliance framework
alignment, or configuration management—and apply managed services to just that
pillar. For broader coverage, choose a service that gives you a well-rounded
combination of multiple areas that need to be covered.
A key benefit of this approach is that
you don’t need to purchase additional servers, databases, or OS licenses, each
of which also require maintenance and administration. Another option is a
hybrid approach—taking on a residential engineer. An RE from your chosen
managed service provider gives you on-the-ground help running your cybersecurity
program for a specified amount of time.
Get Better Company-Wide Security Education
Everyone in your company uses email,
which is still a leading attack vector year after year. Your overall security
posture is harmed by thinking of the security team as the only people
responsible for your organization’s security. In NIST’s Cybersecurity is Everyone’s Job, a report by the National Initiative for Cybersecurity Education Working
Group says, “Unfortunately, many organizations limit security responsibilities
to designated security personnel that perform specialized security functions.
Effective security must be enterprise-wide, involving everyone in fulfilling
security responsibilities. Each member of the group, from the newest employee
to the chief executive, holds the power to harm or to help, to weaken or
strengthen, the organization’s security posture.”
System administrators and IT staff are
just as responsible for keeping threats at bay as security-focused personnel.
The same goes for the HR department, marketing professionals, and anyone else
who handles company data. A truly mature organization will begin to
self-enforce and monitor, and this is a cultural shift that comes from building
security into the organization. Without good company-wide security education,
filling the skills gap will only take an organization so far.
Automate Basic Cybersecurity Controls
How much of your security process can be
automated? Automating is a third way to manage operational shortages arising
from the skills gap. For example, you can’t manually audit logs every
day—there’s just too much data. A
security information and event management (SIEM) can do much of that work for
you. Vulnerability assessments are another arduous process if preformed
manually. Ideally, you can write rules so that when your tools pick up a
vulnerability it can fix it without human involvement or integrate with an ITSM
tool to automate the workflows. We’ll never be able to react as quickly as
computers, but an agent or sensor can act upon what it finds right away.
As more workloads are moved to the public
cloud, companies are looking for solutions that automatically remediate
configuration and security weaknesses. Automation makes a security team more
efficient and any process that is predictable and repeatable is a good target.
Anthony Israel-Davis, Sr. Manager, Tripwire
