Cybersecurity Workforce Study Needs to be Taken with a Pinch of Salt
The global cybersecurity workforce has increased by 700,000 to 3.5 million (while the shortfall has decreased by 950,000 to 3.12 million); and companies have apparently transitioned to remote working securely.
These are the big takeaways from the 2020 ISC2 Cybersecurity Workforce Study, which queried 3,790 people who spend at least 25% of their time concentrating on cybersecurity tasks. The first takeaway relates to the workforce. “Overall we’re seeing some very positive trends from the cybersecurity workforce reflected in this new data,” said Clar Rosso, CEO of ISC2. “The response to COVID-19 by the community and their ability to help securely migrate entire organizational systems to remote work, almost overnight, has been an unprecedented success [the second takeaway] and a best-case scenario in a lot of ways. Cybersecurity professionals rose to the challenge and solidified their value to their organizations.”
But while these figures are welcome, there are nevertheless caveats. The cybersecurity workforce is a huge and diverse market, and the in-demand skill set is constantly changing. We don’t know where the 700,000 additional staff are operating. Are they skilled data engineers able to triage the alerts from machine learning, or experts in cloud security brought in to help secure the new home-office hybrid environment — or are they less-skilled cyber administrators brought in to help manage and train remote workers?
While the ISC2 figures show the workforce gap narrowing slightly, we cannot assume from this that the cybersecurity skills gap is narrowing. “Form should follow function,” Setu Kulkarni, VP strategy at WhiteHat Security, told SecurityWeek. “The real question to ask is do we have the right talent for the modern cyber-security needs. While we may have an uptick in the number of available cybersecurity professionals, are they the right-skilled professionals? For example, let’s take a closer look at one critical need we have in the industry today — DevSecOps. Do we have cybersecurity professionals who can perform all the duties required to implement good DevSecOps? The answer is no.”
It is perhaps more realistic to consider that the overall workforce shortage remains at 3.12 million, and that cybersecurity employment still needs to increase by 41% in the U.S. and 89% worldwide in order to fill the workforce gap, regardless of the skills gap.
One noticeable feature in ISC2’s workforce figures is the disparity between the number of new staff (up 700,000) and the number of required staff (down 950,000) — suggesting that demand is decreasing and fewer people are being actively recruited. This is supported by the study, where 23% of respondents said that they or a peer had been laid off as a result of the pandemic.
“The plans to downsize security teams are concerning,” comments Dr Kiri Addison, head of data Science and threat intelligence at Mimecast. “2020 has seen many successful cyberattacks and our threat researchers found that COVID-19 has opened new opportunities for threat actors in the first months of 2020, with a 35% rise in email-based malware threats from January to April.”
Kulkarni accepts that narrowing the workforce gap is ‘an encouraging macro trend’, “it is our job to make sure that we not only upskill our workforce to meet the needs of modern cybersecurity, but also put in place relevant grassroots training and development to have a cybersecurity educated entry-level workforce.” The implication is that the existing workforce needs to be upskilled in situ, while new staff are encouraged to join the industry from the outside.
However, it is not at all clear that in-house skills training is enough. “Simply increasing on-the-job training will yield limited returns,” warns Brendan O’Connor, CEO and co-founder at AppOmni. “The growing sophistication of cloud services and even more complex cybersecurity challenges cannot simply be addressed by additional training.” He adds, “Organizations should consider a balanced approach to training their employees and investing in automation tools. Extensive training and around-the-clock manual monitoring are not necessary when the right automation tools can complement the IT staff as they build up their skillset.”
Steve Durbin, managing director of the Information Security Forum, sees little option to in-house training. “Apprenticeships, on the job learning, backed up with support training packages are the way to go to tackle head on a shortage that is not going to go away,” he told SecurityWeek. He doesn’t know whether it will work, but adds, “Whether or not CISOs and their HR departments will value such earned skills remains to be seen but there is a practical element to be considered here: organizations can either adopt an attitude that says we will work with the rich skill sets that are available and provide the security components by online training, apprenticeships and practical skills transfer through mentoring schemes, or they can sit back and wait for the perfect candidate to come along some time, maybe never.”
The second takeaway from the ISC2 report is the speed and success with which organizations have adopted the work from home paradigm. Says ISC2, “The data shows that 30% of cybersecurity professionals faced a deadline of one day or less to transition their organizations’ staff to remote work and to secure their newly transformed IT environments. 92% of respondents indicated that their organization was ‘somewhat’ or ‘very’ prepared to respond, and just 18% saw security incidents increase during this time.” This is a remarkably upbeat view of the success of the transition. But the caveat is simple — it’s too soon to tell.
Given that the FireEye 2020 M-Trends report noted that the global median dwell time for attackers to live quietly inside networks is 56 days, and that 12% of its own investigations continue to have dwell times of greater than 700 days, it is quite likely the 18% of recognized incidents does not include an unknown number of as yet undetected incidents. It is quite possible that this will get worse before it gets better. Mimecast research on British home workers indicates that after working from home for a few months they are developing lax cybersecurity habits. “These bad practices result in more cybersecurity incidents across businesses, with three in four IT leaders witnessing cybersecurity issues once a month or more — more worryingly, 20% of them admit occurrences happen more than once a day.”
This relaxed approach to security at home is quite likely to increase over time. Sam Small, the CSO at ZeroFox, told SecurityWeek, the effect of the pandemic on cybersecurity will last throughout 2021. “What we don’t know is whether the security teams will learn how to defend home/office hybrid environments faster than the criminals will earn how to exploit them.” But it’s too soon to claim that the transition has been a success.