Addressing Cybersecurity's Talent Shortage & Its Impact on CISOs

The cybersecurity sector continues to face a dire talent shortage as the threat landscape evolves, according to recent research from ISC2, and the skill gap is only growing. In fact, the organization found that the global cybersecurity workforce grew to encompass 4.7 million people in 2022 but that there is still a need for more than 3.4 million security professionals, an increase of over 26% from 2021's numbers.

What's behind this growing shortage? We're seeing organizations shift their approach to cloud-first strategies to achieve greater scale and flexibility. At the same time, they're using more than one cloud technology provider and multiple database providers, resulting in more work, more alerts, and more data. This creates a need for new tools, changes in practice and skill, and overall involvement due to complexity. On top of this, in today's economic climate, CISOs don't have the budgets or enough people to absorb the demand. This is affecting organizations across the board, no matter their size, and is due in part to an expanding and evolving threat landscape. In 2022 alone, the number of data compromises stood at 1,802, while data compromises affected 422 million individuals.

Impact on the CISO Role

This talent shortage is not only affecting organizations but also the CISO role itself. Today, CISOs are navigating a shift in workload and greater volumes of administrative work stemming from audits, third-party risk assessments, and required vendor due diligence, on top of continually evolving legal and regulatory responsibilities. For example, two years ago, I probably spent, on average, two hours doing a third-party assessment from a customer. In 2022, this shifted to about eight hours, with some requiring over 30 staff hours. While what each CISO may be responsible for varies, I believe this pattern carries through most CISOs' experiences.

As many businesses are trying to solve evolving privacy regulations, they're also relying on CISOs to provide counsel on data protection and how to use data best. For CISOs, this means additional responsibilities and shifting their focus from protecting data to enabling its legal use. Privacy is a legal obligation with rules that vary from state to state and country to country, and enabling its legal and ethical use often requires multiple skill sets and resources to bring to life. A CISO may be the best resource to start a new privacy program, but ultimately their office is not the right home for a mature program. Privacy is best applied by those with the most intimate knowledge of the company's data, how it is used, and why.

In addition to the potential new privacy burden, security threats and breaches continue to increase. The stakes are higher than ever for CISOs and their security teams to not only act but also act quickly. The rapid migration to the cloud has made it harder for many teams to feel comfortable in their response capabilities due to lower visibility than was provided with traditional data centers. Modern, cloud-first data security tools exist, but they're not necessarily CISO-friendly because they were initially developed for data operations teams. The problem is exacerbated by more dispersed data sources and data providers, making understanding the data context almost impossible.

Data context — understanding all the connections and intersections of data and the value or risk of each, even as a byproduct — can have significant value when prioritizing incident response. Today, most security organizations don't have the context they need in a language or output that they can understand and act upon, and vice versa for data operations teams: They understand the data, but need help with privacy and security requirements.

Effective Strategies to Help Fill the Cybersecurity Skills Gap

In the face of this skills shortage, there are a few steps organizations can take to supplement the lack of human talent. First, they must adopt security as part of their business culture, meaning they should work to educate all arms of the business — from the C-suite to marketing to data practitioners — on security best practices. This will strengthen what's lacking in the current talent volume and create more harmony across the organization so they can tackle security together.

Elevating the CISO role and including it as part of the senior leadership team and even the boardroom is also critical, but it's less about reporting structure and more about visibility. New rules and regulations are putting more focus on how businesses are reporting their internal security standards and metrics. CISOs need to have a line into the boardroom to effectively communicate those standards and metrics so they can make a case for adding additional team members and hiring the right people for the job.

Additionally, organizations must continue investing in automation despite tighter technology budgets. By leveraging tools that handle the more tedious backend work and provide detailed analysis and next steps, businesses can curb expensive human labor costs while ensuring security at scale. These tools also make it possible for teams to focus on more valuable work and projects, which contributes to talent retention. Today, countless hours are spent sifting through alerts to determine which are critical. By automating mundane tasks such as this, team members can spend more time on high-value projects, resulting in them feeling more fulfilled and less likely to leave.

It's clear that the demand for more cyber skills isn't going away anytime soon. With new mandates going into effect, such as the Biden administration's cyber strategy, technology companies, and service providers are going to be under even more scrutiny by public sector customers and, eventually, their service providers. In many ways, this is positive as this pressure increases urgency around security across the ecosystem. However, organizations must invest in ways to supplement the lack of human talent now to avoid putting their business and customers at even greater risk in the future.