Skills gap meets expanding threat surface

Stephen Cobb, Senior Security Researcher at ESET highlights the need to defend a growing threat surface with the widening cybersecurity skills gap globally

If you are concerned about the privacy and security of your information you might have noticed recent headlines declaring that the global cybersecurity job skills gap has grown to three million. This very worrying assertion – that many organizations around the world say they can’t find enough qualified applicants for almost three million open cybersecurity positions – comes from ISC2, the international nonprofit membership association best known for the Certified Information Systems Security Professional (CISSP) qualification.

Before I break down some of the implications of this latest workforce research, let me make a few quick points:

  • I have been a CISSP for quite a long time (as discussed here).
  • In my opinion, many cybersecurity jobs don’t require a CISSP.
  • I have studied data from previous ISC2 workforce studies (as discussed here).
  • In my opinion the studies are fair and do not inflate the demand for cybersecurity skills.
  • I highly recommend reading the report, which can be downloaded here.
  • I also recommend taking the numbers in the report seriously.

The skills gap, deep and broad
I have to admit that I was skeptical the first time that I heard there was a seven figure shortfall in the number of people needed to do the very necessary work of securing our digital world assets. So I researched the topic and arrived at the opinion that it’s probably true. I presented my research at the Virus Bulletin conference in 2016. I also discussed the skills gap – and efforts to close it – in my master’s dissertation in 2016 and here on WeLiveSecurity.com in 2017.

Defining and measuring a skills gap in a profession that is still struggling to agree on standard job descriptions is challenging. Some of the work done on the problem so far is open to question. However, I did find some consistency in one aspect of the research. Across four different surveys, by four different entities, there was a remarkably consistent response when this question was posed to IT executives and managers at a wide range of organizations: do you think there is a shortage of cybersecurity professionals?

In all four cases, about four out of five respondents agreed that they was a shortage. This included ISACA and ISC2 numbers from 2015 and 2016 (both in the low- to mid-80s). An Intel-McAfee sponsored study by CSIS – the Center for Strategic and International Studies – showed 82% agreement in 2016. In my own 2016 survey, people who said that the right cybersecurity talent was either moderately or very difficult to find totaled 83% (and zero percent said that hiring for cybersecurity was very easy).

In the latest ISC2 report, 63% of respondents said their organizations: “have a shortage of staff dedicated to cybersecurity.” Furthermore, 60% said their organizations were at a “moderate or extreme risk of cyberattacks due to that shortage”. In terms of top line numbers, the report suggests that the cybersecurity gap is getting wider, which is particularly worrying when you realize that efforts to address the problem go back at least 10 years.

In 2010, the Human Capital Crisis report from CSIS framed the problem as one of both depth and breadth, quality as well as quantity: “We not only have a shortage of the highly technically skilled people required to operate and support systems already deployed, but also an even more desperate shortage of people who can design secure systems, write safe computer code, and create the ever more sophisticated tools needed to prevent, detect, mitigate and reconstitute from damage due to system failures and malicious acts.”

The expanding threat surface
My own observation is that countries and companies have consistently fallen short of the effort required to attract enough people into the cybersecurity profession and ensure that they have the right skills. Furthermore, estimates of what constitutes “enough people” have failed to keep pace with the rate of technology development and deployment.

In broad terms, each new device attached to the internet increases the number of potential avenues of attack. And when those devices are “new” as opposed to tried and tested technologies, they increase the skillset needed to secure them. According to Cisco, the number of internet connected devices reached 8.7 billion in 2012 (Forbes). There was already a skills gap at that point. By 2018, the number of connected devices had almost tripled (Statista).

While a formula such as “cybersecurity people per million devices” does not make a lot of sense, if the number of devices triples again in the next seven years, the total workload is unlikely to be heading down (unless there is sudden decline in cybercriminal activity and/or a huge breakthrough in security technology – neither of which seem likely to me). Furthermore, these devices represent wave after wave of novel technology – from drones to smart speakers to smart building and cars, to serverless apps, and so on – within which there are likely to be new vulnerabilities that can be profitably abused by bad actors.

A different indicator of cybersecurity workload is the number of internet users, assuming that each user has the capacity to act insecurely and each employee requires some amount of cybersecurity effort. In 2012 the internet user population was estimated at 2.4 billion (Internet World Stats). By the middle of 2018 it had passed 4 billion.

These numbers all add up to an expanding attack surface, more ways to compromise and abuse systems and data. That was definitely the consensus of a room full of information security experts at a recent panel discussion on cybersecurity hosted by NASDAQ, the stock exchange where many of world’s best known technology companies list their shares. This was part of a day-long event organized by the National Cyber Security Alliance, the non-profit organization that anchors the annual cybersecurity awareness month (disclaimer: I represent ESET on NCSA’s board of directors).

An anonymous polling tool was used to ask panelists and attendees “what keeps you up at night?” The choices were: business email compromise; nation state attacks; domestic attacks; expanding threat surface; and other. Forty-five percent of respondents, all of whom have thought a lot about these things, picked: “expanding threat surface.” For me it was the logical choice because when you combine the skills gap with an expanding threat surface, you make it more likely that we will see more nation state attacks, more domestic attacks; more business email compromise, and definitely more “other”.

Wider context
While we could all be doing more to address the cybersecurity skills gap, it is important to realize that it’s not the only skills gap out there. For a start, it exists within the broader “cyber-skills gap” which my colleague Tomáš Foltýn discussed here. And when you look beyond information technology, you can see skills gaps in other sectors, as reflected in these headlines, all from 2018: Aerospace Skills Gap: Workforce Declines, As Talent Needs Increase; Skills gap stalls construction industry growth; America has a massive truck driver shortage; The pilot shortage isn’t changing course; ‘War for Talent’ Emerges Amid Fashion’s Skilled Workforce Shortage. Cybersecurity did not even make the cut in this article titled Top Five Sectors Exposed to Labor Shortages.

All of which means that the following four strategies for dealing with the cybersecurity skills gap – listed A through D below – will need to be considered in the wider context of competition for workers:

  1. Bring more people into the cybersecurity workforce.
  2. Make sure new technology is inherently more secure than older technology.
  3. Slow down deployment of new technology until B is achieved.
  4. Increase efforts to deter cybercrime.