One million. That’s how many unfilled cybersecurity jobs there are worldwide, according to a recent ISSA survey. This isn’t just a skills gap – it’s a skills chasm. At the same time, attacks are on the rise, with a 50% increase from 2020 to 2021. And the consequences are getting more severe. Last year, over 230 U.S. hospitals had their operations halted due to ransomware. It’s never been more urgent than now to address this crisis – and find a way to rapidly meet the growing need for cybersecurity. But open any paper and you’ll read about the “Great Resignation” – as a trend away from the workforce, not towards. So we need a new solution.
To get there, let’s first examine the underlying causes behind this skills shortage. It might be easier to think of it as an imbalance where the protection required for today’s digital way of life in turn requires more cybersecurity professionals than currently employed. At no point do we want worse security, we want continuous improvement. But why has the need for cybersecurity professionals accelerated so fast that the workforce can’t keep up?
The first reason has to do with innovation. Not security innovation, but rather innovation in how companies build, deliver and run software. Trends like “shift left” have expanded cybersecurity’s remit to the entire application lifecycle, while infrastructure paradigms like cloud-native computing have turned singular applications into dozens or hundreds of microservices – vastly increasing the complexity of environments. As part of the wider DevOps movement, these trends have contributed to engineering and IT teams being able to deploy applications and infrastructure alike at machine speed.
The second reason is one we’ve heard over and over again in the pandemic era – the shift to “work from anywhere” and “digital-first.” As the workforce has become distributed, and vital services in our lives have moved online, the traditional notion of a ‘perimeter’ no longer exists. Security teams must protect myriad devices, locations, and working models – all of which are constantly in flux. There’s no more defending the home turf.
Put these together – security has more to protect than ever before and has to deliver this protection despite constant changes in the environment, changes that occur at machine speed. To cope, we’ve seen the rise of the third contributing factor to the cybersecurity skills shortage – the rise of “shadow work” within the security remit. As security has “shifted left”, cybersecurity professionals have been asked to take on engineering, DevOps, and IT skills from scripting to cloud computing. As the remit of security has moved from corporate networks and sites to “anywhere, anytime”, security’s been forced to learn about and integrate with dozens (or more) of enterprise communication, HR, and monitoring systems. The result of this is that a large part of any cybersecurity professional’s day isn’t spent on identifying and responding to risks, it’s spent trying to connect systems or moonlight as a software engineer.
Last year, ISSA published a study that discovered that 54% of organizations struggle to find cybersecurity professionals with a certain skill set. That skill set? Cloud computing. Yet, there’s no massive cloud engineering shortage. DevOps and IT teams are feeling overwhelmed by a lack of talent. So the skill is out there, it’s just not one that cybersecurity professionals have. And that’s OK.
So what’s the answer? If it’s not “train security on these technical skills” or “just hire more people” or “somehow make attackers give up”, how can we take practical steps to address the staffing shortage?
Let’s first remember that the staffing shortage is really the sum of “more security work to be done than there are security professionals”. So our goals need to be first: reduce the amount of human work in cybersecurity, and second, to make security a more accessible career.
Let’s start with the first cause. DevOps and the shift to machine speed deployment of applications and infrastructure. Continuous Integration & Delivery, Infrastructure as Code – these technologies have turned formerly manual processes for provisioning environments and delivering applications into automated processes that any software engineer can run. Organizations have moved from one deployment a month to multiple deployments each day.
So first and foremost: security needs to match this speed. And that can’t be done manually. So the answer has to somehow start with automation. Security needs effective automation to match pace with the other parts of the business.
But automation that can’t be easily implemented often consumes more time and effort than continuing with manual processes. And as we consider the expanded remit of security – from the data center to every aspect of the organization’s business and from corporate networks to BYOD – we need to be mindful of the increased importance of connectivity. Security teams that can’t easily automate processes across disparate locations, applications, teams and systems aren’t going to recognize the benefits of automation. So this automation can’t resemble traditional Security Orchestration, Automation and Response (SOAR) platforms, which require vendor-built plugins or engineering know-how to integrate them with modern tools. Security needs the ability to integrate any app, any stack without specialized knowledge or vendor support.
So we’ve got automation that doesn’t rely on engineering knowledge or third-party services. And this is where we get to the buzzwords. Because what this is is “no-code.” Now, just as being serverless doesn’t mean there’s no server, no code doesn’t mean there’s no code underneath the hood. But what it does mean is the user, the cybersecurity professional, can accomplish their daily responsibilities without learning a lick of python. By abstracting the technical complexity, security teams no longer face the burden of also being experts in cloud computing or provisioning network hardware. Instead, they can focus on creating, optimizing, and executing security processes to reduce attack surface and respond to risks and active threats – the core remit of security.
No-code automation not only enables security teams to move at machine speed – helping them close the gap between “the work to be done” and “the people available to do it” – but it also reduces the need for engineering, IT, and similar backgrounds for new cybersecurity professionals, which then lowers the barrier to entering the industry, resulting in an increase of “the people available” Putting these two together, we’re tackling the cybersecurity skills gap from both sides and putting an effective reduction in it. This won’t take us from 1,000,000 to 0 in a week, but it gives security the ability to keep pace the with rest of the business, opens up cybersecurity to a vast pool of new talent, and lets us do more to best protect our modern way of living.
Written by Leonid Belkind.
Have you read?
# Best CEOs In the World Of 2022.
# TOP Citizenship by Investment and Residency by Investment Programs, 2022.
# Global Passport Ranking, 2022.
# The World’s Richest People (Top 100 Billionaires, 2022).
# Best Novels to Read of 2021.
# Economy Rankings: Largest countries by GDP, 2022.