Bridging the Cybersecurity Skills Gap

The Struggle to Find Cybersecurity Talent

The Enterprise Strategy Group (ESG) runs an annual global survey among IT professionals. Organizations have been reporting a problematic shortage of cybersecurity staff since 2015, and as of 2019, a massive 53% of them are struggling to fill positions in cybersecurity. The 2019 Cybersecurity Workforce Study from (ISC)2 puts this figure at 65% of organizations. Extrapolating this into actual numbers, research estimates place the cybersecurity talent shortage at 3.5 million jobs worldwide, including some 500,000 in the US alone. Whichever way you cut it, that’s a big gap.

The situation in cybersecurity reflects skills shortages in the wider IT market. However, the growing scale and intensity of cyberattacks means that demand for cybersecurity professionals is growing much faster than in other segments of the IT job market. At the same time, working in cybersecurity requires not only a wide array of soft and technical skills but also a suitable personality. It can also be extremely stressful, so despite enormous demand, IT candidates are less likely to choose a career in the cybersecurity industry.

In other words, we are seeing more unfilled cybersecurity jobs and fewer candidates to fill them. Both of these trends are accelerating, so maybe it’s time to stop talking about “the cybersecurity skills gap” – because everything indicates that the gap is the new normal.

How Organizations Deal with the Shortage of Cybersecurity Skills

Part of the problem is the traditional view of cybersecurity as a bolt-on process that is nice to have but not business-critical. Especially in tougher times, as with the COVID-19 crisis, many organizations include cybersecurity in their cost-cutting exercises, despite the growing intensity of cyberattacks. So the first (and very popular) approach to dealing with unfilled cybersecurity positions is simply to ignore the problem. Unfortunately, research shows that inadequate cybersecurity resources are recognized as a major cause of cyberincidents, and with the growing intensity and impact of data breaches and other cyberattacks, this is clearly not a viable strategy.

Another approach is to widen the talent pool by getting creative when looking for candidates. Instead of just advertising cybersecurity jobs to attract IT professionals and CompSci graduates, some large organizations are building programs to attract, educate, and train staff from outside cybersecurity or even outside the IT industry, in effect growing their own cybersecurity resources. Turning the problem on its head, these initiatives transform the cross-disciplinary nature of cybersecurity work into an advantage. After intensive cybersecurity training, a candidate with no IT background but with the right personality and dedication can become a valuable resource and start a successful cybersecurity career.

For the majority of organizations, the only realistic option is to make the best of existing resources to take the load off security teams. The first step is to make security everyone’s business to eliminate the vast majority of cyberincidents that involve end users. With the right training and a security-oriented culture, organizations can greatly mitigate major risks such as phishing and malware, allowing cybersecurity experts to focus on more advanced attack vectors.

To maximize the effectiveness of understaffed security teams while also retaining cybersecurity talent, organizations need to focus on providing the right tools, efficient workflows, and solid executive sponsorship for cybersecurity. This not only improves security but also minimizes unnecessary work, frustration, stress, and ultimately burnout in cybersecurity teams. With as many as 65% of cybersecurity and IT workers, from junior staff to CISOs, considering quitting their current jobs, care for the working conditions, work organization, and general welfare of cybersecurity staff might well be every organization’s best investment in cybersecurity.

The Cybersecurity Skills Gap in Web Application Security

One of the areas where the cybersecurity talent crunch is biting the hardest is web application security. On top of all the challenges already mentioned, here we also have rapidly growing numbers of web assets that someone has to secure. Large organizations can have thousands of websites and web applications with different owners, technologies, and locations. Now add to this the continued movement of valuable data and business-critical functionality to cloud platforms that can expose sensitive information or even entire business infrastructures to web-based cyberthreats. Clearly, ensuring web application security requires excellent visibility, advanced tools, and well-staffed security teams that have the resources and executive backing to do their job.

Back in the real world, just as many organizations treat cybersecurity as an afterthought, so web application security is often a neglected area within cybersecurity programs, especially compared to endpoint or network security. In effect, small teams are often tasked with securing hundreds of websites and nobody really knows how to do this or even believes it is possible. If fact, many organizations don’t even know where all their websites are or who owns them. Manual testing is not an option at that kind of scale, especially when you’re not sure what to check, so organizations turn to vulnerability scanners and other automated tools to take the burden off security teams. 

The problem is that simply running a scan won’t improve security. If you scan a hundred websites, you might get a report with a thousand suspected vulnerabilities. Now your overworked cybersecurity staff have to go through the results, manually check each item to eliminate false positives, assign vulnerabilities to developers to fix, follow up on the fixes, and so on. This may work for 10, 20, 30 websites – but what about the hundreds that remain?

Some large organizations have simply given up on securing all their web assets. They focus on securing a handful of business-critical websites and web applications, say the top 50. The others are periodically scanned and critical issues are addressed eventually, but nobody is seriously considering securing everything with a small team that isn’t likely to grow any time soon. At the same time, cybercriminals are ramping up their activities and every insecure website could provide them with an easy way to extract confidential information or gain a foothold for further attacks. So what can you do?

Bridge the Gap with Confident Automation

There’s no doubt that automation is the only way to deal with the cybersecurity skills shortage. To get measurable improvements, you need to automate everything that can be automated at every stage of your workflows. For this, you need 100% confidence in your tools, because if their results can’t be trusted, automation will not be effective.

For web application security, Invicti can help you secure all your websites with a small security team by eliminating uncertainty at every step. This starts with discovery to find all your web assets, followed by laser-accurate scanning with automatic verification using proprietary Proof-Based Scanning technology. For most direct-impact vulnerabilities, Invicti provides proof that a vulnerability is real and not a false positive. This allows you to automatically triage and process verified results, for example to send notifications and add bug reports via issue tracker integration.

So yes, technology is the answer – but simply throwing more tools into the mix won’t help. The only way to bridge the cybersecurity skills gap is to use truly accurate automation combined with streamlined workflows. When you are confident that your results are 100% accurate, you can really automate routine operations, leaving your cybersecurity professionals free to focus on tasks that only a human can do.