Many MSPs are in the same boat as restaurants, hotels, hospitals, and funeral homes: not enough workers. Some estimates point to 500,000 vacancies in cybersecurity-related jobs, and MSPs represent a share of those vacancies, lacking the cybersecurity talent to fill them.
In 2020, labor research firm Emsi estimated that the US had less than half of the cybersecurity candidates it needs to keep up with ever-intensifying demand. Since that time, the problem hasn’t gotten any better. But the challenges of filling IT vacancies don’t just create a labor issue for MSPs; it also imperils cybersecurity for clients.
Recently, (ISC)2 conducted a survey of how the lack of cybersecurity specialists is impacting security. Here are some of the consequences reported in the 2021 Cybersecurity Workforce Study:
- One-third of respondents cited system misconfigurations as a consequence of staffing shortages.
- Three in 10 respondents also blamed staffing shortages for not allowing enough time for proper risk assessment and management and making organizations slow to patch.
“MSPs need IT talent, but if they can hire someone with impeccable cybersecurity credentials, then they need to treat him or her like royalty because the talent is in such short supply,” advises Leonard Golden, a cybersecurity consultant in Milwaukee, Wisconsin. “IT talent is in short supply, cybersecurity talent is in even shorter supply.”
Golden says MSPs lacking in cybersecurity talent pose a cybersecurity risk.
There is still nothing that beats actual humans to analyze data, compare and contrast, and anticipate. An experienced human with a proven track record to analyze and put events into context remains the gold standard.
“AI is closing the gap, but it’s still not there yet. People are still the biggest defense against cybercriminals,” states Golden.
Tips for overcoming the cybersecurity talent shortage
Golden shares several steps MSPs need to take to counter the labor shortage, including:
AI-infused software: More and more programs are available that can act as a set of eyes on a network. “And if human eyes are in short supply, then the best software is the best stopgap,” suggests Golden. MSPs need to look for software solutions that employ robust AI and up-to-date algorithms to deploy against emerging threats.
Working environment: Small MSPs are hard-pressed to compete with the deeper pockets of larger IT entities. But Golden warns MSPs must do more than have office parties and casual Fridays to keep and retain talent.
“You need to recruit top IT talent and then keep them by making them stakeholders in the company somehow. I’m not saying that you make them owners, but find a way to help them feel like they have ownership and know their values align with your company’s. If you can match the values and corporate culture, an employee is more likely to stay. You can’t compete on dollars, but you can compete on values,” Golden says.
Training: Don’t overlook who might be right under your nose. “IT and cybersecurity are learnable, like everything else,” reminds Golden, adding that anyone on your payroll could potentially be a cybersecurity specialist.
“This is an extreme example, but I worked with an MSP that desperately needed a cybersecurity specialist on staff,” Golden remembers. “The MSP had a young woman working as a receptionist and administrative assistant in the office. She always overheard conversations about the cybersecurity talent shortage and one day expressed interest in helping the team. She took the next year to learn (the MSP paid tuition for training at the local community college) and eventually earned a certification and is now one of the company’s most valued cybersecurity specialists. Of course, then they had a receptionist vacancy to fill!”
Cross-training: With no sign that the labor shortage will improve anytime soon, MSPs should cross-train employees on as many different tasks as possible.
“Make your MSP as agile as possible, so that everyone from the President of the company to the newly hired engineer can at least do some basic cybersecurity tasks if needed. You don’t want a client vulnerable because of a simple unapplied patch,” advises Golden.
Sharing: Consider sharing a cybersecurity professional. Sharing cybersecurity talent has worked for some smaller MSPs. Similar to when some churches have experienced a clergy shortage and relied on “circuit rider pastors” where congregations pool resources. Doing the same with a cybersecurity specialist can reap savings.
“I had one MSP client that was paying top dollar for a cybersecurity professional on staff, and it was killing them financially. Meanwhile, a competitor MSP desperately needed more in-house cybersecurity talent. Even though they were competitors, the two sat down and realized the advantages of sharing the person’s cost and benefits. Everyone won,” recalls Golden.
MSPs that think outside the box and are willing to be nimble will find themselves best able to weather the labor shortage that seems to be hitting every industry.
Photo: Sudtawee Thepsuponkul / Shutterstock