National Harbor, Md. — While the cybersecurity skills shortage continues to plague the industry, the “real problem” lies in how security leaders are addressing the issue, said Sam Olyaei, director at Gartner’s security and risk management group.
“The problem is really our mindset has to be shifted away from thinking about open roles that can be hired out in the market to actually optimizing the security function in ways that can actually help you procure the competencies we need,” Olyaei told attendees during a session at the Gartner Security & Risk Management Summit.
According to a Gartner survey, 61% of organizations admitted that they are struggling to hire security professionals.
Most organizations struggle because they don’t know what cybersecurity skills they need or put too much weight on certifications, Olyaei said. They haven’t mapped everything back to a workforce strategy or framework to figure out what they need, he added.
“We have to look for alternative, emergent techniques that we can use to not only source these people, but build them,” he said.
When it comes to security roles, he said, there is a lack of standardization around titles, names, terminology and, as result, a lack of clear career paths.
“The problem is, there is no standardization on what these titles actually mean,” he said. “An incident response analyst could potentially be an information security analyst in another organization. A security engineer could even be a security architect in another organization.”
Olyaei advised security program practitioners to craft a strategy planning process that takes into account frameworks like the NIST’s National Initiative for Cybersecurity Education (NICE) cybersecurity workforce framework. The NICE cybersecurity workforce framework is designed to introduce standardization in the titling aspect of the information security and cybersecurity roles, he said.
“That’ll help you identify, the competencies, knowledge and skill sets that we might need in the future and ultimately get ahead of the curve by planning for these things today,” Olyaei said.
He also recommended security professionals use enticing job titles that don’t just focus on the technical aspect of the job, but stresses on opportunities to “develop and grow” and “learn and adapt,” to help attract the right candidate.
He advised investing in training simulation platforms like a cyber range, which replicates an organization’s environment in a lab, to build the cybersecurity skills needed to plan and execute a digital business strategy.
Security automation in the era of digital business
Gartner analysts believe a contributing factor to the cybersecurity skills shortage is the rapid digital transformations that many organizations are experiencing. In the company’s latest digital business survey, 85% of organizations reported actively pursuing digital optimization strategies, and 66% reported being on the path to digital transformation.
Emerging technologies will impact security and risk directly because rapid adoption of emerging technologies is creating risks, Gartner director Beth Schumaecker said during the opening keynote at the conference.
“We try to build a security risk management team that can face all of these demands and we are confronted with the new reality that digital transformation needs new skills from our security people,” Schumaecker said.
Given the “tight security labor market,” Schumaecker advised organizations to think about how they implement an adaptive automation strategy that allows them to best utilize the people and skills they have.
Olyaei urged security professionals to figure out skills and functions that can be automated, and which ones can be outsourced to a managed security service provider or managed detection and response service providers.
“If you have repetitive functions in your organizations today, you should be looking to automate that right away,” he said. “Take advantage of what’s around you in terms of technologies, tool sets, capabilities, techniques, and ultimately, even external people.”
Security leaders should also move away from a siloed approach toward cybersecurity, he said, because it will not work in digital security or digital business platforms.
“While information security analysts today probably focus more on the operational day to day, things like log management, or monitoring, or endpoint protection, you’ll start to see a less siloed approach as you move to digital,” he said. “A lot of times organizations try to break down the silos so that they have more versatile people that can arrive at the same conclusions.”
Digital businesses require digital competencies
Embracing digital technologies to deliver new value and competitive advantage to the enterprise also requires developing digital competencies, Gartner analysts agreed. CISOs and security risk leaders need to hire people with digital competencies.
Adaptability is a key security skill in the digital era, Olyaei said.
“This is somebody who demonstrates flexibility, agility and the ability to respond effectively to different demands,” he said.
Business acumen, digital dexterity, outcome-driven, and collaboration and synergy are other key digital competencies required of security professionals today, he said.
The drive toward digital business will also create demand for new skills, he said. While top security roles currently in demand include information security analyst and vulnerability analyst/penetration tester, Olyaei predicted that’s going to change in the next few years.
“A pen tester, for example, is measured on whether or not they can actually get into an environment, the system and network applications etc., and whether or not they can find original vulnerabilities,” he said. “We’re starting to see the role of a pen tester change and trying to figure out whether or not you can actually catch an attacker in the process of using a vulnerability to infiltrate the system or environment.”
As organizations begin to mature, he said, the demand for the technical security analyst role will also decrease.
“A lot of the functions this technical security analyst is responsible for doing will either have been outsourced, automated or in a lot of cases be bundled into a common security function that this person’s required to do,” Olyaei said.
Some of the emerging roles that CISOs and CIOs and security and risk leaders need to keep track of are digital risk officer, data security scientist, security champion, digital ecosystem manager and chief of staff.
“These five roles are shaping up to be sort of that bridge between information security and digital security … taking you from that traditional focus on confidentiality, integrity and capability, to focus more on privacy, safety and resilience,” he said.