The Cybersecurity Staffing Crunch is Real and it is Forcing Some Companies to Slow Growth

Cybersecurity Staffing Crunch

Several trends are coalescing to create the perfect storm creating a cybersecurity staffing shortage at a time when it has never been more critical for businesses to protect themselves from the growing number of hackers. 

Mounting threats from hackers and new challenges presented by more employees working from home or the café down the street means that cybersecurity teams are expected to do even more. And they aren’t necessarily getting the additional resources they need.

Why? Demand for talent has skyrocketed. Maryland alone has 25,000 open computing jobs, and some of them are in cyber security or support cyber security positions. 

“The demand is tremendous,” says John Riganati, Senior Executive Advisor, Due Diligence Practice Lead for Think. “Companies are looking at a minimum of 90 days to find somebody, and the expected salary to attract those folks is higher than anticipated. It is literally slowing down their growth.”

Riganati says cyber, IT and computer experts have the upper hand.

“The demand is so high salaries are going up, plus companies need to rethink what employees want. Remote work, work-life balance, and benefits; all of that is having to be rethought to keep and attract talent,” he says.

Several factors are driving the cybersecurity staffing shortage including, a lack of trained professionals, surging demand, a historical lack of business investment in the field, staff burnout due to understaffing, increasing threats, and new challenges presented by more automation and telework.

Increase the applicant pool

The cybersecurity staffing shortage makes it challenging for most companies to recruit, hire, and retain these professionals. Unfortunately, some companies make it even more difficult by not offering competitive compensation and posting unrealistic job descriptions, suggesting that many human resource departments don’t understand the qualifications needed.

“It is possible to be highly qualified and experienced but lack the certifications required to get the job,” says Tim Marley, Director of Risk Advisory Services at True Digital Security.

Marley says a recent ZDNet article stated almost three-quarters of entry-level jobs vacancies ask for Certified Information Systems Security Professional (CISSP) certification.

“This takes years of training, not to mention the cost to sit for the exam,” he says. “Expectations have to be realistic to close the gap in the number of openings.”

As the industry matures, there will likely be more qualified professionals as the education pipeline evolves to meet businesses’ needs, but the shortage will likely persist in the short term.

“No one over 40 went to school for this stuff (the field didn’t exist), and most IT Pros have had to grow into becoming Cyber Security Experts organically as the landscape has evolved and forced the issue. It’s the classic “Adapt or Die” scenario (insert T-Rex image),” says Justin Carlson, Director of Technical Resources at MOI. “It was a revelation for me that these skills are not being taught at the High School level because schools are concerned with being attacked by their students. The bottom line is it’s an immature industry, and over time, high school, university and skills curricula will catch up to generate a pool of qualified candidates. While we wait, we shouldn’t overlook those like me who took a personal interest and self-taught; this showcases the aptitude needed for success.”

Promote good talent

Recognizing the short-term shortage, company leaders can help by promoting talent.

“As Technical Executives, we can use our personal networks to help promote young talent so that they can overcome the initial hurdle of getting in front of the right people, not everyone has connections, and this can help close the gap,” says Ed Mullin, CIO at Think.

Each week on “Talent Tuesday,” Mullin showcases talented technical professionals on his LinkedIn account.

“We have to help each other by sharing qualified candidates through your network and making introductions,” Mullin said. “You’d be surprised how many of these young individuals get a chance to fill one of those open roles.”

Mullin also stresses the need to increase access to the IT career pipeline by supporting student activities like competitive robotics and CyberPatriot.

Valuing cybersecurity

Unfortunately, many company leaders have a short-term view that cybersecurity is merely a cost. They have to spend money on it, but it doesn’t help the bottom line. Cybersecurity is often seen as a technology issue rather than a business issue. This is a naïve view when high-profile data breaches and ransomware attacks show that if cybersecurity isn’t managed correctly, it can have substantial negative consequences for the entire business.

Businesses tend to invest in things they see value in, so it is critical to ensure leaders are intimately aware of cybersecurity’s value, including people, training, and technology.

Although businesses are under pressure as cyber-attacks have increased, Riganati advises CEOs should not push the panic button.

“Don’t wait until a crisis happens or hire because you fear vulnerabilities after a series of cyber-attacks happen in your industry. Panic-hiring is not the answer and only floods the job boards,” he says. “Take the time to proactively hire the right security professionals to build your security team; this provides time to learn and grow, without the added pressure of crisis management right out the gate.”

Common myths

  • Cybercrime is an IT issue — A cybersecurity breach usually stems from management failures at multiple points and on multiple levels. Failures range from not providing adequate budgets to not replacing outmoded technology.
  • Attacks aren’t that expensive — A typical ‘small’ attack carries a cost of roughly $100,000 and there are costs beyond the ransom.
  • Backups will protect a company — Many hackers don’t hold data for ransom, they threaten to publish it.
  • Ransomware is the biggest threat — Small businesses with little to no email security are especially vulnerable to ACH fraud phishing, which requires little skill and no malware.
  • Ransomware usually uses phishing attacks — Outdated infrastructure is the primary weakness exploited by hackers