It has become increasingly apparent in recent years that more cybersecurity professionals are needed urgently. But the pace at which new people are trained is tortoise-like in comparison to the hare-like pace of cybercrime. And unlike the popular children’s story, the tortoise isn’t likely to win over a longer race. The bad guys show no signs of slowing down and appear to have the stamina to maintain the speed of malware distribution, or even accelerate it.
But the shortage of security workers isn’t going to abate anytime soon. There are currently more than 1.1 million working in cybersecurity in the US. that may seem impressive. Yet there are currently more than 750,000 job openings with many of them unlikely to be filled for some time to come.
Understandably, there are a great many industry initiatives ongoing to combat this staffing crisis. The White House launched a National Apprenticeship Week in November along with various supporting programs. The InfoSec Institute has stepped up its efforts to train a new workforce and reskill existing workers. These efforts aim to change alarming trends in the talent pipeline.
For example, computer science is being studied by 5.6% of high school students despite being offered by more than half of all U.S. high schools. We need state and local governments to incentivize schools to further incorporate (and even mandate) computer science courses. By doing so, more young people will possess a baseline of tech competencies, bolstering talent pipelines. 5.6% may be shockingly bad, yet it is up from 4.7% only a year ago. Clearly, progress is being made, but not at the speed necessary to fill the cyber-skills chasm.
Further efforts include the development of industry career paths that go beyond the traditional focus of degrees. This includes Community College programs and training people on industry credentials to take up entry level positions in cybersecurity.
Hiring practices, too, are being asked to change their usual requirements. Almost every entry-level position in cybersecurity demands a degree in IT or security. Many also ask for certifications and several years of experience. With the current job shortage, setting the bar much too high may be one big reason for lack of applicants. The fight over unicorn candidates is one ramification of this. While bidding wars go on for a select few highly qualified and experienced individuals, the industry has a dearth of promising newcomers. It could be likened to all NBA teams fighting over one superstar such as Lebron James and utterly neglecting any other standard player recruitment practices and largely ignoring new draft picks.
The Applicant Tracking Systems (ATS) used by HR may also be contributing to the problem. These systems work primarily based on certain parameters and keywords. If someone doesn’t have X degree, or Y certificate, they are automatically excluded. Their resume is never viewed by human eyes. If they have no experience in the workforce, ATS disqualifies them. Yet sitting there might be a diamond in the rough. Should anyone take the time to peruse the resume, they would discover that the person has been developing applications since they were 10 years old, or won an award at a Black Hat conference as a teenager.
Additional actions being encouraged are continuous training of IT staff in security and other parts of the workforce. The more certifications that existing staff obtain, the better off the industry as a whole becomes.
Automation
These efforts are all laudable and vitally necessary. But it becomes increasingly apparent with each passing day. That the world of security will have to get used to doing far more with far fewer people. That is where automation comes in. IT security can no longer consist of manually intensive labor or troubleshooting actions that consume hour after hour trawling through logs in an attempt to find a cybercriminal needle in the infrastructural haystack.
Nor is it appropriate to rely on veteran staffers to gaze solve all our cybersecurity woes. Granted, there are some superstars out there who have an intuitive ability to zero in on the root cause of security issues. But dependence on the few only plays into the hands of the criminal fringe. These talented individuals may soon be up for retirement. They are likely to be headhunted by other organizations overly focused on attracting unicorns. In any cases, as IT and multi-cloud environments grow in size and complexity, there are just too many inputs, too many logs, and too many workloads to manage security threats manually.
It takes end-to-end automation to take care of modern IT security. Such automation not only encompasses detection of potential issues. It must also address remediation. Syxsense provides security services that automatically take care of functions such as endpoint management, mobile device management, patch management, vulnerability scanning, and remediation. In patch management, for example, Syxsense guarantees to test and critical patches within four hours of their release. It automatically deploys patches based on a priority system to safeguard all organizational systems and devices by providing the correct updates and patches. And it provides end-to-end integrated automation a cross its suite of endpoint and security management tools.
For more information, visit www.syxsense.com
