In May 2019, hackers broke into the computer network of a federal government contractor to the Customs and Border Protection Control. The cybercriminals stole the photos of travelers and license plates of about 100,000 people, according to Wired Magazine. Within days, hackers posted the stolen records on the Dark Web for sales. The contractor, Perceptics, also lost data about the surveillance hardware it uses at multiple U.S. ports of entry. The information may be of interest to nation-states whose objectives are not aligned with that of the United States and to terrorist organizations. The Federal government has since canceled its contracts with Perceptics. 

Every minute, hackers attack the network defenses of high-value cybersecurity targets like the Federal government and its thousands of contractors. Agencies and their web of suppliers that support them do their best to ward off electronic intrusions; however, there just are not enough cybersecurity professionals available to provide the sort of coverage the enterprises need to protect their sensitive data.  

How Understaffed are Cybersecurity Positions? 

According to Cyberseek, in the United States, there are over one million active cybersecurity jobs. With over 30% of those positions unfilled, the situation is far from ideal. However, this problem is only projected to get worse. By 2022, experts expect there to be over 1.8 Million unfilled positions. Within the federal government, nearly 90% of the 2,620 information security professionals surveyed said that “hiring and retaining qualified information security professionals” was either somewhat important or very important to securing their agency’s infrastructure. Respondents noted the observation as the most important component for security. 

The lack of cybersecurity resources is not limited to the United States either. Recent studies put the global shortage of skilled professionals at around 3 million. As with the U.S., this situation is only expected to deteriorate in the next few years. This global problem is also not limited to a specific subset of the broader cybersecurity skills domain. 

Shortages exist for almost every position in information security: From people that operate and support cybersecurity systems to individuals that can design secure applications and services, the need for highly-skilled resources has never been greater.

Source: ISACA State of Cyber Security 2017 from ISACA

The Impact of the Cybersecurity Skills Shortage

The lack of sufficient cybersecurity skills in the market is not only an HR recruiting problem. It has real-world ramifications for any organization operating technology systems that run its business. The shortage of highly-skilled resources requires existing staff to take on a heavier workload. As with any other job, not having enough time to perform every task accurately leads to human error, lower quality assurance, and eventually, employee burnout.

The increased workload on existing employees also results in them not having the time to master the complexity of modern security technologies. The consequence is that they are unable to utilize the security solutions to their full potential, increasing enterprise risk. As businesses are spending a more significant proportion of their IT budgets on cybersecurity platforms, the lack of skilled resources is also having a direct impact on the organization’s return on investment.

In addition to the burden placed on existing employees, the lack of suitable cybersecurity skills has also forced organizations to recruit and train junior resources. This approach not only increases their training costs but also adds to the existing workload on current members of staff who need to mentor and train their junior colleagues. This lack of capacity further exacerbates the problem of IT misalignment. As IT is over-utilized, they do not have the time to work with businesses in aligning their requirements with IT strategy and cybersecurity obligations. Not only does this affect the efficiency and productivity of the enterprise, but it also introduces an unacceptable level of risk.

What Can Government-related Enterprises Do to Address the Cybersecurity Skills Gap?

The chronic shortage of relevant cybersecurity skills is a national challenge and one that is not going to resolve itself without focused intervention. As this risk affects federal agencies and their contractors, enterprises need to make a concerted effort to address this issue.

Investment in Cyber Education Programs

While the current shortage of cybersecurity skills in the market directly relates to the low number of suitably qualified individuals, a focus on education is an obvious first step in overcoming this challenge. In April 2019, the Trump administration signed an executive order to standardize and promote cybersecurity workforce development in government. The order includes the launch of a rotational assignment program that allows federal employees to more easily take on cybersecurity roles at other agencies with the aim of bolstering capabilities of the Cybersecurity and Infrastructure Security Agency, according to FCW Magazine.

Educational institutions need to provide their communities with both short-term and long-term solutions to grow the cybersecurity skills base. One such program is CyberPatriot. The cyber defense competition for high school students receives funding from the Department of Homeland Security. The program features 6,387 registered teams from all 50 states, U.S. territories, and Defense Department schools around the world. 77% of CyberPatriot competitors subsequently pursued STEM majors in college. 

However, enterprises need to form a collaborative partnership with educators to ensure they develop and nurture the skills required by the market today. Short-term tactics like certification programs for existing technical personnel can help fill some critical needs. For instance, the Federal Chief Information Officer (CIO) Council, a part of the Federal government’s Office of Management and Budget, has partnered with the SANS Institute to create the Cyber Reskilling Academy. The Academy’s goal is to identify government employees outside of the CIO’s office who possess the capabilities to acquire skills in cybersecurity quickly. It is a full-time program that gives its participants the skills to become a cyber defense analyst in just six months. 

The retention of professionals trained in cybersecurity practices can become an issue, though. Private industry salaries tend to be far higher for infosec professionals than in the government sector. Further, pay rise and promotional structures in agencies prove a hindrance to keeping talent that sees their private counterparts advancing far more quickly than they are, according to a Government Executive Magazine article. 

The Role of Industry

The tech industry also needs to get involved and drive this effort. Technology giants like Microsoft, Google, Amazon, Symantec, IBM, and a myriad of others already provide security technology solutions. As they are at the forefront of digital research and development, they need to guide both education and government to ensure real-world relevance in any cybersecurity training initiatives.

 Education should not be limited to technical resources. Cybersecurity is an issue that touches every function of today’s digitally-driven organizations. Educating the middle and upper management on information security will help ensure future enterprises do not face the same challenges. One could argue that the skills shortage facing organizations today stems from business leaders lacking insight and not making the appropriate investments in cybersecurity from the outset.

Artificial Intelligence and Automation

Like every other industry, the rise of Artificial Intelligence (AI) and automation is disrupting traditional business models in the cybersecurity market. Advanced security platforms augment their features with AI capabilities, reducing the workload on human operators. Leveraging AI, organizations can deploy solutions that are capable of spotting phishing websites and automatically filtering malicious email. The automation inherent in these platforms can also help security analysts sift through the thousands of security incidents generated by management and monitoring systems. They are also capable of identifying threats to the business using baseline heuristics and then alerting human operators when they detect an anomaly. 

Although AI and automation can help alleviate the problems caused by the shortage of cybersecurity skills, they do not replace the need for the human element. These solutions augment the activities of existing teams. For instance, they can reduce the burden on security analysts by assuming some of the more mundane and repetitive tasks. They are a solution that can help alleviate the cybersecurity skills shortage in the short term.

Agencies and Federal Contractors Need a Blended Approach

The chronic shortage of cybersecurity skills is a challenge for every government agency and supplier. Resolving this critical issue requires a blended approach that focuses on both short-term quick wins and long-term strategies. In the short term, enterprises can look at implementing AI solutions to augment their existing human resources. They can also consider outsourcing their security to managed services providers that have the relevant skills and expertise to protect sensitive data. However, a long-term strategy that involves input and investment from both the public and private sector is the only real solution to the problem. 

Resolving the cybersecurity skills shortage in the medium- to long-term must be a strategic imperative for both government and industry. Partnerships and initiatives that educate and build awareness from the technical front line to the boardroom are the only practical response to this looming problem.