Sunil Varkey, CTO and Strategist, Emerging Region, Symantec, sheds light on how the current skills gap is taking its toll on security.
What do you think are the primary factors contributing to the skills shortage in the IT security industry?
The skills shortage is a systemic, complex issue with a lot of contributing factors. I think a lot of people underestimate just how exciting a career in cybersecurity can be. Symantec’s 2019 High Alert research of 3,000 security leaders across Europe, found that 92 percent are fully immersed in their work, even when it’s stressful. However, while the job is thrilling, cybersecurity professionals operate in an extremely dynamic industry. The fast pace of evolution of the security landscape, in addition to the shortage of talent, means current security professionals have even less time to focus on their own skills development. Firms can also underappreciate the value of cybersecurity experts, and the salaries required to attract this talent – it’s not the same as for general enterprise IT professionals.
How has the current cyber skills shortage impacted today’s threat landscape? What kind of strain does it bring enterprises?
Ultimately, if your people are feeling strained, then your enterprise security efforts are being strained.
Our latest study also demonstrated the extent of the pressure cybersecurity staff are feeling. It found that 65 percent of surveyed professionals feel they’re being set up to fail. 64 percent also think about quitting their job and 63 percent are considering quitting the cybersecurity industry altogether.
The study also revealed that 86 percent of professionals say mounting regulation is increasing the pressure on security teams. In addition, 82 percent cited that they have too many threat alerts to deal with and securing too much data, in too many places, is making their roles more stressful.
While these are European figures, I believe they reflect the same challenges we face in the Middle East, and every single one of these problems is exacerbated by the skills and talent shortage. What’s even worse is that the strain is clearly impacting security teams’ performance. The High Alert research, which covered the UK, France & Germany, also showed 77 percent find themselves rushing when assessing a threat. On top of this, 69 percent report feeling responsible for a cyber security incident that could have been avoided. This makes an already challenging threat landscape even more dangerous.
It also makes retaining talent much harder. That said, we can’t lay this all at the feet of the skills shortage, many other factors are raising the pressure too, such as the growing amounts of regulation, technological complexity, as well as increasingly skilled and well-resourced hackers.
How can security players today help address the skills gap issue?
We must continue building a case for the attractiveness of our industry, and work to share knowledge and, in many cases, the advanced cyber security facilities at our disposal. Whether that’s giving lectures at universities or offering interested candidates the chance to tour security facilities.
The industry, as a whole, needs to commit to working more closely with a wider range of organizations, which means going beyond just educational institutions. We need a bigger, but a more diverse, workforce, so we need to cast a wider net. Women are still under-represented, and we could do more to attract people embarking on a second career. Psychologists, teachers, trainers and HR professionals, these are backgrounds which can offer immense value, because analyzing and understanding human behavior, and communicating well internally are so essential for organizational security. A successful career in cybersecurity does not have to be a technical role.
Overall, we must leave ‘no stone unturned’ in addressing the skills gap. It’s a complex, chronic issue which will take years to resolve. So, any technology which can provide an edge in the shorter term should be welcomed too, while the benefits of longer-term initiatives take time to pay off.
Are automation, artificial intelligence (AI) and machine learning technologies the key to closing the cyber skills gap?
As far as automation is concerned, it can help address the security skills gap on two levels. First, a modern integrated cyber defense platform – by correlating, cross-checking and prioritising data across multiple security products – can reduce the volume of alerts and highlight those that really matter. Second, in addition to reducing analysts’ workload around alerts, it can automate reporting and compliance. This relieves mundane manual administrative tasks, enabling time-pressed cyber security professionals to focus on higher value activities.
Modern integrated cyber defense platforms, machine learning and AI can change the game entirely. These technologies free up time for cyber security professionals to focus more on skills development, while also making them more capable and less stressed. All of which makes the job more enjoyable – always a good thing for staff retention.
What cybersecurity roles will be the most in-demand in the region from 2019 onwards?
Predicting anything in our industry is a tough ask, due to the speed at which job roles and requirements can change. Based on what we’re seeing now though, some of the most in-demand jobs for the year ahead will be Network Security Engineers, Cyber Security Analysts, Security Architects, Cyber Security Managers and of course Chief Information Security Officers.
As we work to tackle the critical skills gap, we must be as collaborative and resourceful as attackers are, with regard to our technology and talent strategies.