Cyber Security Talent Gap: Use These Solutions to Help Rectify Ongoing Issue

Mitigating cyber risk continues to challenge organizations and their risk leaders, as threat actors become more sophisticated and varying in their threats, tools, targets and locations.

In fact, three in five companies¹ aren’t ready to fully navigate exposures associated with digital threats. This exposure concern, is due in part to a talent recruitment issue that has been impacting cyber security for more than a decade:

• 60 percent of organizations report that they struggle to recruit cyber security talent
• More than half of business leaders surveyed say they struggle to keep cyber security talent.²

Cyber talent constraints are a familiar problem for companies. There are simply not enough cyber security professionals in the workforce able to combat the threats and keep pace with an increasingly sophisticated group of threat actors. There currently is a shortage of more than 2.7 million cyber professionals³ globally, more than a quarter of which are in the U.S., according to the World Economic Forum.

How can companies successfully defend themselves against these myriad threats while maintaining a motivated and engaged workforce?

The Scope of the Issue

Cyber security remains an enormous challenge, and the current shortage of professionals to combat the threat is having a detrimental effect. More than 80 percent of companies have experienced a breach attributable to a lack of cyber security skills or overall employee cyber awareness.

A hole in cyber security personnel can potentially lead to catastrophic results. About two-thirds of companies say that the lack of cyber security professionals places them at greater risk of a breach.⁴ This lack of talent leaves many companies vulnerable to a potentially costly breach, especially companies known to maintain sensitive data. Nearly four in 10 companies reported experiencing a breach that cost them more than $1 million.⁵ Add to that the cost of damage to the company’s reputation, and it’s easy to understand why the cyber security gap is of such importance.

Is it a Talent Gap or a Skills Gap?

There’s a talent gap in cyber security, however, there’s also a lack of skills currently hampering organizations. In fact, 59 percent of businesses reported they would find it challenging to respond to a cyber incident due to shortage of skills on their team.⁶ Cyber security has always been a race between the threat actors and those trying to prevent attacks. As attackers refine their methods and find new ways to exploit vulnerable systems, cyber security professionals continue to stay up to date to effectively combat the threat. Companies prefer to employ credentialed professionals with specialized certifications. That training is expensive and extensive, some with difficult certification exams.

In reality, the current issue is both a talent gap and a skills gap. There needs to be more cyber security professionals, and they need more skills. How can companies keep up?

Attract, Retain, Sustain

In the current labor market, it can cost three to four times the professional’s salary to hire for an open position,⁷ meaning an opening for a $75,000 per year job could cost $300,000 to fill. Holding on to the professionals already on board should always be seen as top priority.

1. Do a Skills Audit.

What skills do companies have in place? Where is there greater need? A skills audit may yield better results than looking at headcount or an organizational chart. If current employees can be re-skilled or upskilled into areas of need, it may fill in the gaps without having to do much fishing in the talent “ocean.”

2. Make Sure EVP (Employee Value Proposition) is Relevant.

Companies should be looking at their overall employee value proposition (EVP) to ensure that it is relevant, not just in their industry, but across industries. When considering EVP, it’s important to consider factors that cyber security professionals find important, besides salary, including:

A strong employee retention program that attracts and retains its cyber professionals and builds talent sustainability is vital. However, as we look to strengthen the talent pool, we must also consider other ways we can do more with less. There are measures organizations may take to help strengthen their overall cyber posture, which can assist in mitigating the impact inability to hire or upskill quickly can cause a company’s overall risk posture. As businesses continue to look for ways to enhance their cyber security talent and skills, use these five steps to help build cyber resilience:

5 Recommendations to Build a Model for Sustained Cyber Resilience

1. Identify your business risks and how they may be impacted by cyber risks:

Identifying business risks and their relationship to cyber risks enables an organization to assess its exposure and take steps to protect its operations, reputation and bottom line. For example, a potential business risk may be the loss of sensitive customer data. The corresponding cyber risk may be a data breach caused by a threat actor accessing your network.

2. Assess your exposure:

Assessing your cyber exposure can help you understand how security controls impact balance sheet exposure, and creation of strong strategies to manage cyber risk. Through relevant quantified risk scenarios and assessing control effectiveness against these loss models, businesses can quickly decide how to best allocate budget to maximize resilience. An adversary simulation tool helps drive in-depth analyses of successful vs. blocked attacks, which may determine the success of defensive controls and security monitoring programs and shape a data-driven risk prioritization and remediation strategy.

3. Mitigate your risk:

Risk mitigation includes targeted security controls and measurable industry standards, which enhance security maturity, reduce exposure and minimize financial impact from key cyber risks. Consider reviewing governance, controls, roles and responsibilities, developing protective safeguards to mitigate cyber exposures. Engage in breach simulations and tabletop exercises to test incident preparedness.

4. Implement a risk transfer strategy:

Develop and implement a risk transfer strategy that helps safeguard your balance sheet. Quantifying maximum probable cyber losses enables senior stakeholders to understand the magnitude of potential losses and what those losses might constitute. Armed with this knowledge, your businesses can make decisions around risk-bearing appetite and appropriate levels of risk transfer. Cyber insurance to help mitigate the financial impact of a cyber attack and provide access to incident response services.

5. Implement recovery plan:

After an incident the road to recovery is often complex, and a recovery plan should drive operational and financial loss recovery. Recovery plans should include incident response expertise alongside key business stakeholders to maximize recovery. Consider checking your contractual protections and insurance policies to ensure your organization is covered for financial loss from a breach. Review business continuity and disaster recovery plans to ensure they include, and test for current cyber threats.

It’s a Marathon – and a Sprint

Developing and retaining cyber security talent has to be an ongoing process. Relying on exponent staff growth is not a successful strategy. Leveraging both a focus at stronger cyber hygiene, coupled with a focus on retention can help maintain a base level of maturity that will help. That resilience built between better collective practice and cyber development will be useful, not only when the current talent shortage is successfully addressed but will provide a viable buffer against future crises.

¹ Cyber Loop, A Model for Sustained Cyber Resilience
² 2022 Cybersecurity Skills Gap (fortinet.com)
³ Can closing the cybersecurity skills gap change the world?
⁴ 2022 Cybersecurity Skills Gap
⁵ 2022 Cybersecurity Skills Gap
⁶ What you need to know about cybersecurity in 2022