Wednesday, October 28, 2020

Are you aware of the cybersecurity skills gap? (Cybersecurity Awareness Month: Day 28)

Graphic illustrating the idea of a skills gap
There is a shortage of effective guardians

Remember back on Day 1 of this Cybersecurity Awareness Month when I talked about how much cybercrime there is these days? And on Day 15 I put up this graph of Internet crime losses reported to IC3 and the FBI? 

We talked about how this graph is a pretty good representation of the overall trend in cybercrime—which is likely to set new records this year—and how that makes raising cybersecurity awareness a very urgent task. 

During this month we have also looked at some of the reasons why there is so much cybercrime, including one very fundamental insight into crime in general, from Felson and Cohen. Back in 1980 they said that crimes occur when there is: 
"convergence in space and time of offenders, of suitable targets, and of the absence of effective guardians."
So, one way to look at the seemingly relentless rise of cybercrime is to see it as the convergence of offenders and suitable targets in cyberspace, a place where, at the present time, there is a very real absence of effective guardians. 

In fact, there are literally hundreds of thousands of unfilled jobs for effective guardians. Sadly, governments and companies just cannot find enough people to do the cybersecurity work that needs to be done to effectively guard against cybercrime. 

I don't mean that organizations don't have the money to hire people with the necessary cybersecurity skills to be effective guardians. I mean that even when they have the money, i.e. when positions are funded, they just can't find enough qualified applicants to fill those positions. 

In America, this shortfall is actually mapped out on the web at a site called CyberSeek. That link takes you straight to a map that shows you where the demand is and where the supply is located. Nationally, there are half a million jobs open in cybersecurity, or to out it another way, one third of the "effective guardian workforce" is missing.

This phenomenon is widely referred to as the "cybersecurity skills gap" and it is not a new thing. This gap has been there for years now. I studied the problem in some detail in 2016 and presented a paper on it in 2016 titled: Mind this gap: criminal hacking and the global cybersecurity skills shortage, a critical analysis. Back then I said this about the cybersecurity skills gap: "It is real, it is large, and it is growing, despite recent efforts to close it."

I said exactly the same thing about a month ago when a reporter was looking for input on the skills gap in 2020 relative to the pandemic. That reporter did not use my input, but here is how it might have appeared in an article: 

Cobb started exploring the cybersecurity skills shortage in 2015 after a report from Cisco said the global gap could be as big as one million people. In 2016, drawing on relationships with CompTIA and (ISC)2, he researched the gap for a master’s dissertation and presented a paper titled “Mind This Gap” at that year’s Virus Bulletin Conference. His conclusion: the gap is real and could easily be as big as one million globally.

Cobb says skills gap skeptics who claim its size is exaggerated tend either to be people who have skills but can’t find a job, or market-oriented economists who say any claim of a skills gap must have this qualifier with at current pay levels.

"I have a lot of sympathy for those who have skills but no job," says Cobb, "In my experience, a lot of this is due to serious shortcomings in hiring processes at many organizations; hiring for cybersecurity roles is a skill in itself, one that many HR departments lack." 

According to Cobb, reducing bottlenecks in hiring, while ensuring that recruitment efforts are as diverse as possible, would definitely help to reduce the number of unfilled or under-filled cybersecurity positions.

As for closing the skills gap by increasing pay levels, Cobb says this is an overly simplistic view of markets. "Paying higher and higher wages until your company has all the security people it needs only works for goods and services sold at “cost plus” prices. While some defense contractors may be able to do that, most businesses see increased spending on security as a reduction in profit."

The reporter specifically asked: Do you see the pandemic adding to this shortage? If so, why?

"The pandemic is clearly increasing both the demand for people with cybersecurity skills and the demands put upon those people," says Cobb. "It’s not just the sudden shift to home working, but the rapid rise in levels of cybercrime, and the heightened levels of anxiety and fear that can affect an employee’s judgment."

Cobb added: "A lot of cybersecurity teams started out 2020 with a smaller headcount than they needed and open roles that they were struggling to fill, then suddenly they find themselves fighting more battles, on more fronts, than ever before; they’re going to need a lot more people than are available to hire."

On a brighter note, Cobb sees the increasing openness to employing remote staff as a positive factor for recruiting cybersecurity talent: "There are people who have great potential do well in security but for whom a conventional office environment is not a good fit."

Another good question was this: Is the new work-from-home model adding to the problem by creating more work for cybersecurity professionals?

Cobb says that, "Many organizations have made a fast-paced switch from office-based computing, where systems and users can be tightly controlled and closely monitored, to a loose-net web of connections over public networks via an almost infinite combination of home-based hardware and software. In other words, he says, "attack vectors have multiplied, controls have been weakened, users are stressed, and criminals are on a tear."

"Organizations are currently faced with multiple factors that magnify the cybersecurity challenge: complexity, rapid change, economic anxiety, personal stress, and increasingly aggressive adversaries operating with apparent impunity."

However, bad as the pandemic is, Cobb sees the failure of governments to tackle the root causes of cybercrime as a bigger long-term threat to cybersecurity, one which may make closing of the skills gap impossible any time soon.

So, there you have an up-to-date view of the cybersecurity skills gap, served up in article format, without the annoying adverts and pop-up requests to subscribe. But what does this mean for cybersecurity awareness? Here are two things:

  1. Any time you finding yourself assuming that a connected device or online service is well-protected, remind yourself that the organization behind that device or service is probably struggling to fill positions that involve making that assumption valid. 
  2. If you find cybersecurity interesting, there are plenty of ways you can turn that interest into a well-paid job.

I will talk more about point two before the week is out. 

In the meantime: #BeCyberSafe

No comments: