The mass migration to remote working has forced chief information security officers to rethink what “secure” means and to re-prioritize the skillsets needed within their information-security teams. This creates challenges for companies — but also creates wide-open opportunities for those willing to train up for a new cadre of open cybersecurity positions.
The cyber workforce is always in high demand – such high demand that there has been an ongoing and well-publicized shortfall in qualified specialists to fill available jobs. But the work-from-home shift has created unprecedented disruption within cybersecurity, with ramifications for the workforce shortage.
A New Set of Concerns
Nearly overnight, companies abruptly shifted from a primarily on-premises workforce to a majority work-from-home configuration. And experts say a large portion of those employees will remain remote indefinitely, driven by cost savings and employee preference.
The change brings with it a host of new security concerns. For instance, a major challenge lies in securing remote workers who are using home networks, personal devices, and personal applications to connect to company assets, rather than working behind a corporate firewall.
With that shift, new cybersecurity priorities, such as phishing, malware attacks, and data integrity/compliance, have come into sharper focus.
Over 53% of those in a recent poll from IBM Security said they are using their own personal devices for work — including their own laptops and mobile devices. 90% are conducting business over their home networks. However, this activity is done often without any new security protections in place, the survey found.
There’s also been accelerated cloud growth – but a lack of investment in proper security measures has left critical data unprotected and organizations susceptible to ransomware attacks. The 2020 Ransomware Resiliency Report [PDF] from data protection company Veritas found that a 36% of organizations had sped up their use of the public cloud in 2020. The report also revealed, many of these same firms have inadequate security that “doesn’t measure up”, leaving data stored in the cloud exposed. Almost two-thirds of respondents said they thought the security measures at their enterprise had not kept up with their IT complexity.
Many departments are scrambling to enable collaboration apps for all — from Zoom to Slack and Teams to Webex. But without proper security they can be a big risk, as shown by an escalating number of social-engineering and phishing attacks involving these apps.
“An attacker could create a Slack add-on that advertises some great features but also reads channel data,” said Matt Gayford, principal consultant at the Crypsis Group. “If an end user mistakenly installs the add-on, they could expose all Slack channels to the attacker.”
One of the top ways that companies are addressing remote security is through the use of VPNs — but that brings its own challenges.
“Some applications can be configured so that they can only be remotely accessed via VPN,” said Ken Presti, vice president of research and analytics at AVANT Communications. “This, however, needs to be heavily communicated, otherwise your support teams are going to be inundated with trouble tickets from people who don’t realize that they’re not connecting to the needed resource because they didn’t fire up the VPN. While VPNs can greatly enhance security, there can also be a learning curve for your team. This is especially true in the early going when people are getting accustomed to using it.”
This is all exposing short-term skill gaps, along with changes in what the cybersecurity skills needed in the long term will be.
“The top skills in demand focus around securing SaaS applications, federated identity, data control focused skills (classification, encryption, protection), threat intelligence, and zero trust, which is really focused on identity but may be called out differently,” said Brandon Hoffman, chief information security officer at NetEnrich.
“This is not dramatically different in the sense that these skills are now needed and before they were not,” Hoffman said. “It is different in the sense that these skills will take priority over traditional skills like incident response, networking-based security skills, and endpoint protection.”
Also, cloud-based security chops will be critical for the future IT-security team, according to Mohit Tiwari, co-founder and CEO at Symmetry Systems.
“As networks and application tiers become ephemeral, the most important persistent asset for any enterprise will likely be their own and their customers’ data — so data security on the cloud will be a major theme going forward,” he said.
Skills Shortage by the Numbers
According to Cyberseek, an interactive mapping tool that tracks the current state of the security job market, there are more than half a million open cybersecurity positions available in the U.S. alone (522,000). The firm also found that the current ratio of existing cybersecurity workers to cybersecurity job openings is very low, standing at one qualified candidate for every eight open positions, according to the stats. And on average, cybersecurity roles take 21% longer to fill than other IT jobs.
As defined by the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, jobs in the “Securely Provision” arena, where employees “conceptualize, design, procure, and/or build secure IT systems,” are most in-demand (more than 300,000 open positions). From October 2019 through September 2020, there were 166,000 openings for information security analysts, but only 125,570 workers employed in those positions — an annual talent shortfall of 40,430 workers for cybersecurity’s largest job, according to Cyberseek.
Another area with more than 300,000 open positions (there are overlaps in skill sets) is the “Operate and Maintain” NICE category, where workers “provide the support, administration, and maintenance necessary to ensure effective and efficient IT system performance and security.”
These jobs include specialty areas in risk management, security architects, sysadmins, data analysts, software development, network operations specialists, and more.
“Certain skills, like cloud security and cyber-policy expertise, are in high demand due to the increased focus based on today’s landscape and the renewed interest in operational technology/IT cybersecurity at the federal level,” said Kurt John, chief cybersecurity officer at Siemens USA.
The trick is identifying the cybersecurity needs of today and forecasting what future cybersecurity needs are just around the corner.
Meeting the Challenge
First and foremost, the single biggest positive impact on cybersecurity for any organization is the maturity and cohesiveness of their security teams, advises Mark Simos, lead cybersecurity architect at Microsoft, in a recent post. This filters into how teams recognize and respond to threats, how well internal developers embrace secure coding/development, and how executives prioritize protecting critical intellectual property.
“Unfortunately, I believe recent events have exacerbated the skills shortage; however, at the same time, they have brought understanding and awareness to the need for more cyber-professionals,” Siemens’ John said.
The opportunity is there for those willing to invest in their skill sets via an advanced cybersecurity degree or certification within areas of high demand.
“I believe that companies and the public sector have the opportunity to address the issue by partnering with colleges and universities to increase the pipeline of students interested in the cybersecurity industry — there is hope for the future,” he said.