We have reported extensively on the cybersecurity talent shortage plaguing the industry. The shortage is more than just a personnel issue though, it represents a serious cybersecurity problem.
For instance, a Gartner report says that by 2025, half of all cybersecurity incidents will occur because of “a lack of talent or human failure.”
This week, we are taking another look at this topic in an interview with Steve Satterwhite, CEO of Entelligence, a company that monitors and analyzes the cybersecurity landscape.
2024 Trends: A dichotomy
Satterwhite says he has noticed several key trends in hiring for 2024, and it’s a bit of a dichotomy.
“On the one hand, we all see the numbers: 4 million open, unfilled cybersecurity jobs. There’s a talent gap and skills gap, and companies are under fire with $10 trillion in expected cybercrime losses this year,” Satterwhite notes.
Still, despite these startling statistics, companies have been slow to bring on more personnel to deal with cybersecurity issues.
“We’re seeing enterprise organizations slow to hire, slow to train, and slow to invest in comprehensive people strategies to solve their most pressing and complex cybersecurity postures,” Satterwhite explains.
Satterwhite adds that the issue of cybersecurity is a human one that requires human talent to combat. So, what are some good ways to attract talent in this tough market? Companies, including managed service providers (MSPs), that successfully fill cybersecurity gaps are taking one of several paths to fill the jobs.
Internal full-time hires: Satterwhite shares, “Sometimes they can’t get enough headcount to fill the roles. They outsource parts of the cybersecurity stack and security operations which sometimes can be more complex and expensive.”
Staffing companies: These organizations can also fill roles to speed up the process – but sometimes the quality of people doesn’t match the needs, and this frustrates the Chief Security Officer (CSO).
Some CSOs work with a hybrid partner who has deep technical relationships with hardware and software vendors and license their IP and methodology to help CSOs fill critical roles and gaps now.
MSPs seeking an engineer with a four-year degree, though, should keep in mind the human nature of cybersecurity. The degree matters less than whether a potential hire possesses a certain skill set. These skills include Deep technical skills in both cybersecurity and cloud computing and now, skills around artificial intelligence.
Beyond certification
At least 10 years of big enterprise IT experience is also key, Satterwhite notes. “We’ve found that certifications are not enough. To operate in an enterprise IT environment with many complex moving pieces is not for new grads and freshly minted certifications. You must have experience in the enterprise to make an impact.”
He adds that working in complex enterprises requires people with high emotional intelligence. Other skills Satterwhite says are crucial include:
- Great communication skills
- Project management skills
- Team player
- Hungry, humble, and smart
MSP talent shortage recommendations
This brings us specifically to what MSPs can do to fill the talent shortage. Satterwhite offers several suggestions:
Reframe cybersecurity as an investment: Organizations need to view cybersecurity not just as a cost but as a critical investment in their long-term viability and success. This shift in perspective can help justify larger budgets for cybersecurity initiatives, including hiring.
Embrace skill development: Companies should invest in training and professional development opportunities for their existing employees. This approach can help bridge the skills gap internally and reduce the pressure on the hiring process.
Streamline the hiring process: Organizations can benefit from streamlining their hiring processes to be more agile and responsive. This might involve simplifying job descriptions, focusing on core competencies rather than a long list of specific skills, and leveraging internships or apprenticeship programs to assess potential employees in a real-world context.
Cultivate a cybersecurity culture: By fostering a culture that values cybersecurity across all levels of the organization, companies can encourage a more proactive approach to cyber defense. This includes raising awareness, promoting continuous learning, and encouraging innovation in cybersecurity solutions.
Leverage technology and automation: Automating certain cybersecurity tasks can help alleviate the workload on cybersecurity teams. This allows them to focus on more strategic initiatives. This can also make the roles more attractive to potential candidates by emphasizing the focus on high-impact work.
“MSPs needing to address the cybersecurity talent shortage require a multifaceted approach that includes changing organizational mindsets, investing in people, and leveraging technology effectively,” Satterwhite says, adding that by adopting these strategies, companies can better navigate the complexities of the cybersecurity talent landscape, ultimately enhancing their resilience against cyber threats.
Other steps and insights
Satterwhite shares that MSPs, CIOs, CISOs, and CSOs, are all under tremendous pressure because their job is to protect the firm, thwart cybersecurity attacks, and mitigate the ones they know about. If they are unsuccessful, they are on the hook for any liability.
“Yet, the C-Suite, including the CFO and board often don’t see a return on cybersecurity investments,” Satterwhite says. This is where MSPs can sell their value.
“Cybersecurity is preventative. Not accretive. So, the C-Suite can’t get the budget they need. Can’t get the headcount they need. Can’t invest in upskilling existing people,” Satterwhite says, adding that this results in overworked people, under tremendous stress, don’t have the skills they need to execute the mission, and they’re leaving the industry.
In closing, Satterwhite points out that not only do companies not have the budget to hire the people they need to execute, but current staff are burned out and leaving the business. “Thus, cyberattacks are imminent. Cybercriminals know this,” Satterwhite concludes.
Photo: Dabarti CGI / Shutterstock