Sometimes, things are even worse than we thought. Take cybersecurity staffing, for instance.
In a piece for CSO nearly a year ago, Enterprise Strategy Group analyst Jon Oltsik noted that the cybersecurity skills shortage had been occupying the top spot in ESG's annual survey of priorities every year, and the numbers showed that the level of concern had grown each year. Worse, Oltsik felt that there wasn't much reason for optimism.
"…it is my firm belief that the cybersecurity skills shortage represents an existential threat to all of us, and our current approach to rectifying this situation is not working," he wrote.
Well, here we are nearly a year later, and the crisis is worsening. According to (ISC)²®'s 2019 Cybersecurity Workforce Study, the global cybersecurity workforce needs to grow by a whopping 145% in order to meet current needs. The study pegs the current global cybersecurity workforce at 2.8 million, and it estimates that another 4.07 million cybersecurity workers are needed.
Just as disturbing: The study found that 65% of organizations have a shortage of cybersecurity workers, and 51% of survey respondents said this shortage is putting their organizations at moderate or extreme risk.
Admittedly, the numbers are skewed geographically, and things aren't quite as bad in the US as elsewhere. Here, the cybersecurity workforce is just over 800,000, while an estimated 561,000 additional workers are needed to fill the gap, or an increase of 62%. By comparison, the Asia Pacific region has an estimated gap of 2.6 million workers. (Note: (ISC)²'s research excluded China and India due to a lack of information about the size of those nations' business sectors.)
Perspective aside, the US's 62% staffing gap is still sobering enough that a federal cybersecurity official characterized it as much more than a business problem.
"From my perspective, this is going to be a national security issue, if it isn't already," Richard Driggers, deputy assistant director for the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, told attendees at the Nov. 12 CyberCon gathering in Arlington, VA, according to a report in The Hill. "We need to figure out how we can build and sustain a cybersecurity workforce as a national asset for America."
Which brings us back to Oltsik's post from earlier this year. Oltsik didn't need to see the latest (ISC)² report to know that worrying about it and having panel discussions at industry events isn't going to affect meaningful change. He had some very specific suggestions for how to tackle the problem.
For starters, he called for massive federal leadership in the form of scholarships, building national awareness and more widespread efforts on the part of every federal department. He also recommended reappointing a national cybersecurity czar, a position Donald Trump eliminated in 2018.
Oltsik also suggested more thorough public-private partnerships, which anyone who's attended recent RSA Conferences knows is something industry has been clamoring for. Specifically, he said the US should adopt a model similar to Israel's, which attempts to bring all of the stakeholders to the table.
Finally, Oltsik called for a more integrated effort among the vendor community, going so far as to recommend an industry-wide organization designed to pool resources and talent and come up with training strategies.
Not surprisingly, Oltsik isn't optimistic about any of this happening, which is why he advises CISOs to take the skills shortage into account with every decision they make, and to adopt a portfolio management approach to cybersecurity workloads.
One strategy that has been tried but isn't working so far is throwing AI at the problem. In a recent conversation with TechRepublic, Rahul Kashyap, CEO of Awake Security, said that AI has been seen by some as a way to tackle the skills gap, but that as organizations have handed mundane tasks to AI programs, an imbalance has surfaced, resulting in complicated tasks piling up for the more advanced staff.
Kashyap also suggested that small business is most impacted by the skills gap. Small companies don't have the expertise in-house to contend with security issues, and they don't have the resources to develop a skills pipeline. A simple ransomware attack can prove fatal for such businesses.
It's clearly a complicated problem with no easy solution, but a solution is absolutely needed. Proceeding with the cybersecurity skills gap that exists today is a recipe for disaster. The systems that must be secured continue to grow in scale and complexity, and the attack vectors just keep expanding along with that.
Something's gotta give, or we'll still be having the same conversations a year from now, and (ISC)²'s 2020 report will simply bring more bad news.