5 ways to cope with the cybersecurity skills shortage (that don't involve hiring)

Job vacancy / staffing staffing problem  >  empty chair / binary code / lock + shield
Paula Schmidt / Ivanastar / Getty Images

As part of the ESG annual IT spending intensions research for 2020, respondents were asked to identify the area where their organizations have a problematic shortage of skills.  Cybersecurity topped the list of problematic skills shortage areas, just as it has for the past nine years.

What’s interesting is that 44% of respondents indicated a problematic shortage of cybersecurity skills in 2020, down from 53% in 2019 and 51% in 2018.  Does this mean that the cybersecurity skills shortage is improving?  I don’t think so.  Rather, after living with the cybersecurity skills shortage for many years, I think CISOs have come to understand that they can’t hire their way out of their problems and have turned to other methods.

Here are 5 ways CISOs are addressing the talent shortage. 

  1. Experimenting with new types of analytics. According to recent ESG research, 51% of large mid-market (500-999 employees) and enterprise (1000+ employees) organizations are using analytics based upon machine learning algorithms today.  When asked why, the top responses were to improve detection of advanced threats, accelerate security investigations, and better identify cyber-risks.  So, CISOs want machines to crunch and analyze more data and help them improve security staff productivity.  We are still early on in this endeavor, but I see signs of improvement already.  For example, the 2020 version of user and entity behavior and analytics (UEBA) tools can run circles around those of a few years ago and will only get better moving forward.  Machines simply must do the heavy lifting here – humans can’t keep up with the scale. 
  2. Embracing automation. As one CISO said to me recently, “If I can create a runbook for a security process, I ought to be able to automate that process.”  I’m seeing this type of behavior more and more with security operations.  A few years ago, many organizations automated obvious processes like phishing investigations but now they’ve moved on to formalize, document, and then automate a greater number of tasks.  In many cases, hours of tedious work have been reduced to minutes, helping organizations gain more scale out of their security teams.  This trend will accelerate in 2020, leading to a big year for security orchestration, automation, and response (SOAR). Note: I hate the term SOAR.
  3. Extending teams with professional and managed services. Of those organizations that have a problematic shortage of cybersecurity skills, 73% will increase usage of third-party services to help them dig their way out of this personnel hole.  This increase applies to managed and professional services alike.  Many CISOs I talk to are applying a portfolio management to cybersecurity by going through all their responsibilities and deciding which to keep in house, which to outsource, and which they just need a little help with on-demand.  It’s pretty much a given that nearly every organization needs help with cybersecurity, creating a tremendous demand for services — a great opportunity for Accenture, AT&T, IBM, Verizon, etc.
  4. Investing in training. Nearly one-third (32%) of organizations plan to increase cybersecurity training for the security and IT staff in 2020.  Cybersecurity professionals can benefit from continuous education, making them more effective and productive at their jobs.  And it is good news that IT personnel are also participating, as cybersecurity should be everyone’s responsibility. 
  5. Consolidating security technology. Recent ESG research indicates that 77% of organizations are actively consolidating the number of cybersecurity vendors they do business with.  In other words, CISOs are spending more money with fewer vendors and moving away from standalone point tools toward integrated security architectures with central management and distributed enforcement.  This can help streamline vendor management and customer support while introducing things like common UI/UXs that the staff can better learn and operate.

Despite years of publicity, I believe the cybersecurity skills shortage is worse today than it was nearly a decade ago when ESG started researching this topic.  Yes, supply has gone up a bit, but demand has risen much faster.  The only way to address this is with smart coping techniques like those described above.  If you can think of other successful methods, let me know.

Related:

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)