Researchers have warned of information security talent shortages for several years now, but not to the extent that we're seeing today. By conservative estimates, such as that from the 2017 Global Information Workforce Study, the InfoSec workforce shortage will increase to 1.8 million vacancies by 2022.
Meanwhile, Cyber Security Ventures has an even less optimistic outlook. They predict that by 2021, the number of vacant InfoSec roles will reach 3.5 million. What's more, the report points out that those figures don't tell the whole story. Fundamentally, organizations need to revise their perceptions of cybersecurity as a function that can be delegated to a handful of InfoSec operators or a third-party managed security service provider. Instead, they need to focus on cultivating a new InfoSec workforce using tradecraft enhancement.
InfoSec must pervade all IT operations
"If InfoSec talent is not present within your organization, you're doing something very wrong."
Steve Morgan, founder and editor-in-chief of Cybersecurity Ventures, put it best when he wrote that "Every IT position is also a cybersecurity position now." He added that, "the cybersecurity workforce shortage is even worse than what the job numbers suggest."
This isn't to say every IT worker needs the highest caliber of InfoSec expertise. However, they should have a baseline understanding of InfoSec operations. For instance, they can use native features of common operating systems to facilitate IT ecosystems that are inherently more secure.
The out-of-sight, out-of-mind approach associated with outsourcing to MSSPs isn't the right way to go, either. While these third-party providers can support security staff, they're not meant to replace it. Furthermore, there's indisputable risk in handing the reins over to an outside InfoSec vendor entirely – and not just because you're letting external organizations oversee the safekeeping of your sensitive information. Selecting a vendor among the countless offerings out there is a difficult process, and one that could put an organization at risk if the wrong decision is made.
Long story short, there is no adequate substitute for in-house expertise. If InfoSec talent is not present within your organization, you're doing something very wrong.
Training is the problem and the solution
The obvious issue pertaining to the InfoSec talent shortage is a lack of trained professionals to go around. There are only so many certified cybersecurity specialists to choose from, which makes the MSSP option all the more enticing. Anything is better than nothing, right?
Well, not exactly. Quantity is evidently an issue, but so is quality. Black-hat hackers are numerous, but they're also increasingly organized and sophisticated. Textbook expertise can no longer stand in for hands-on InfoSec experience if we hope to outmatch adversarial hackers. In other words, we need to train more InfoSec experts, and we need to train them well. It's a two-part problem with a two-part solution.
Part one involves training the IT workforce in InfoSec competencies. According to CompTIA, the U.S. tech sector added 182,000 new jobs in 2016, accounting for nearly 10 percent of all new positions added to the country's economy, and a 3 percent increase over last year. In total, 2016's tech workforce came in at about 7.3 million people, and continues to show signs of growth. In other words, as the InfoSec workforce faces severe shortages, the IT ops workforce continues to thrive. This may be the way forward, according to Steve Morgan. By cross-training IT workers in the area of InfoSec, organizations can effectively increase the cybersecurity talent pool and cultivate the in-house expertise they require to safeguard their information systems.
That brings us to part two: training InfoSec professionals well.
Enter InfoSec tradecraft enhancement
The pass-fail approach to InfoSec training has no place in today's threat landscape. Rather an InfoSec operator should be assessed according to their skills, technical acumen, experience, critical thinking abilities and readiness to handle new and complex challenges. These collective qualities make up what is known as that individual's tradecraft. The goal of effective InfoSec training should be to enhance that tradecraft, not to hold it to inflexible standards that do little to spark innovation.
Specifically, strong InfoSec training starts with an evaluation of a student's competencies. The next steps are to identify that student's core competencies, to sharpen them to their full potential, and to then to validate those skills through life-fire exercises. Finally, those students must learn to sustain their skills, so as to stay ever-vigilant and always one step ahead of the adversary.
So yes, there is a severe InfoSec talent shortage. Yes, it's getting worse. And yes, all the while, criminal hackers are become more advanced.
But no, that doesn't mean all hope is lost. We will rise above because we have to. More importantly, because we know how to: through tradecraft enhancement.