The impact of the COVID-19 pandemic on the overall security landscape has been significant. The pace of digital initiatives and the rapid growth in remote workforce has completely altered the attack vector. As a result, security professionals are overwhelmed and challenged to effectively protect their enterprises. The new hybrid landscape has brought in new concerns related to data leakage, ransomware and a rise in phishing attacks. This new landscape demands an increase in cybersecurity talent, which is in short supply. According to (ISC)2’s 2021 Cyber Workforce Report, the global cybersecurity workforce needs to grow 65 percent to effectively defend organizations’ critical assets. While the number of professionals needed to fill the gap has decreased from 3.12 million down to 2.72 million in the past year, this is still a big gap that leaves several organizations vulnerable.
India too is experiencing a similar problem. According to a survey by global firm, ISACA, which was conducted last year, 60% of organizations in India revealed that they have vacant cybersecurity positions, while 42% said that their organization’s cybersecurity team is understaffed. An even more alarming fact is 59% believe that less than half of their applicants are well qualified for the position they are applying for. 62% of India-based respondents said that it takes three to six months for their organizations to find qualified cybersecurity candidates for open positions, compared to 47% globally.
What can be done?
Recruiting and managing a team of security professionals brings its own challenges. There’s the obvious cost of recruitment and the length of time it takes to fill each position. Plus the perennial requirement to train the team and keep skills and certifications up-to- date. And when people leave, there’s the challenge of starting the process all over again.
The industry hence needs more resources to manage this, and we need the right resources. On one hand we need IT professionals – people with compliance and forensic skills, industry expertise, incident handling experience, an understanding of mobile security demands, up-to-date compliance knowledge, experts in cloud security and people with the analytical skills and experience to see what others might miss.
Risk and security management are important areas for any organization, and as the threat landscape evolves, every enterprise needs to consider its current risk exposure in the context of its commercial objectives. Based on the assessment, enterprises can consider training their own staff, by looking at short term and long term objectives. An independent assessment can help enterprises understand their risk exposure, consider best practices and prioritize activities. The recommendations may mean that it makes good commercial sense to hire additional people or potentially outsource some, or all requirements.
Some possible solutions
The skill shortage issues can be mitigated in a big way by automating many cumbersome tasks. Automation tools can help in bringing in a unified approach for monitoring multiple clouds. Enterprises can also visualize how a small configuration change can increase the security risks for all associated elements. Cloud automation tools can be used to define custom security policies and compliance rules specific to unique business, cloud environment, or application needs. Organizations can also reduce security risks by auto-remediating new violations with alerts that help developers avoid critical mistakes. Developers can also understand application security in a better way by gaining access to cloud misconfiguration insights within their development platforms. Automated reporting can help developers get a better understanding of security risks, and help them be more compliant with different regulations and security practices.
Another time and tested technique to resolve the security skills shortage is outsourcing. Outsourcing some or all of your security operations to a professional security services provider will alleviate the problem of there not being enough resources in-house. These managed service providers know how and where to find the right experts for specific industries; they invest in training and updating professional qualifications; they continuously monitor networks round the clock, every day of the year; and they take all the time-consuming and repetitive workload away from organizations, leaving enterprises to get on with managing their core business.
For a start, a relationship with a professional security services provider can be limited to any service that enterprises are struggling to resource internally such as risk assessment, developing an incident response plan or managing a compliance project. Alternatively, many organizations choose to fully outsource security operations to the experts. And a fully outsourced service is no longer just a case of managing complex networks from a ‘lights on’ perspective. It’s about proactively protecting organizations against multiple, complex security threats – around the clock – and providing added value such as insight and analytics, over and above managing devices. Choosing a third party can mean gaining access to their collective global knowledge and systems as well as their highly-experienced people.
Security services providers also keep their fingers on the pulse of current and next generation threats and vulnerabilities, and they also have access to regional and global threat intelligence. All of which enables enterprises to be proactive and keep one step ahead of the game, rather than simply reacting to what has already happened. The right third-party provider can manage the most complex of infrastructures and diverse applications: on-premise, in the cloud or a hybrid mode.
In summary, the implications of inadequate security can be disastrous. The rising skills gap is not just a talent shortage issue, but has tremendous business implications. If organizations want to truly accelerate their digital initiatives, the gaps in cybersecurity skills need to be quickly addressed by using any of the approaches mentioned above.
(The author is Mr. Murtaza Bhatia -Director, Cyber Security Sales, NTT Ltd. in India and the views expressed in this article are his own)
