Overcoming the Cybersecurity Skills Shortage

By Ron Samson Jr

It’s everywhere on the news: there is a cybersecurity shortage. The problem is that the threats are evolving faster than anyone had imagined. The industry is constantly training new people, but the demand is staying ahead of that.

Here is a look at what the problem is and how an MSSP (Managed Security Service Provider) can help:

The People Shortage

As mentioned above, there is a lack of qualified cybersecurity professionals. There are several reasons for this:

  1. It’s a relatively new field. It only really branched off as a separate specialty in the last ten or fifteen years. Before that, it was handled by the IT staff who had a general IT education that included a bit of cybersecurity.
  2. The need for security specialist has increased exponentially as more and more companies are finding that their data needs have grown to need more cybersecurity staff.

In 2018, 51% of companies surveyed indicated that they were experiencing a shortage of cybersecurity skills. This is up from 45% in 2017 and is expected to grow to nearly 75% in the next five years.

The Skills Gap

The skills gap arises from a misfit of the people who have skills and the organizations that are hiring them.

  • 39% of businesses indicated their security staff simply don’t understand the needs of their business
  • 33% indicated that there was a noticeable skills gap between the skills that their current cybersecurity staff has and the ones that they need to protect the company’s assets

The reality is that many cybersecurity professionals are taught cybersecurity, but they don’t truly understand business, particularly some of the highly specialized businesses that are seeking cybersecurity professionals.

The Danger of Operating Short-staffed

Many organizations find themselves struggling with a cybersecurity team this chronically short-staffed. It’s even worse when the cybersecurity needs of the company are on the shoulders of the IT team. Its staff is responsible for handling the hardware, keeping the workstations running, and even changing passwords.

Putting something as vast and kinetic as cybersecurity on the IT team can often lead to severe burnout. The staff is running around handling general IT problems and looking to prevent a massive cyber-attack that might take down the whole company.

Even if a firm has a cybersecurity team, that team is often shorthanded and find themselves struggling to keep up with the workload and stay ahead of the last trends and issues in cybersecurity.

It’s worth noting that there is a lot of pressure on cybersecurity staff. The potential for loss from a cyber-attack is extremely high:

  • Over 60% of small to medium businesses that experience a cyber-attack are closed within 6 months.
  • The cost to clean up even a small cyber-attack can be in excess of $100,000.
  • Cyber Attacks on businesses is costing investors £42 billion ($55.63 billion) loss says a study commissioned by cybersecurity firm CGI and conducted by Oxford Economics. (1)
  • The study also confirmed that a company which is listed in FTSE 100 Index gets worse off by an average of £120 million ($158.94 million) after a breach. (1)

The staff, whether they are security specialists or general IT staff, understands that the entire company can live or die based on their success at protecting company assets from cyber-attack.

Using an MSSP to Fill in the Gaps

An MSSP (Managed Security Service Provider) is simply a fancy techie acronym for a computer security firm. The team at an MSSP specializes in cybersecurity and only cybersecurity. Everything from analyzing for existing problems to responding to attacks, they handle all of it.

Here is a comparison between in-house (or even outsourced) IT staff and an MSSP:

 

IT MSSP
Working usually 8 to 10 hours per day Watching systems 24-7
Typically will learn about new security threats via public information like the news Linked into a global network of security specialists to know about new threats in near real-time
Often learn to respond to attacks as the attack is happening Use public information to prepare for attacks before actually having one
Use generally available antivirus and protections Seek out the latest generation of antivirus to keep ahead of threats
Update software once per day, at most, or will have a bot do updates on a regular basis Will update software constantly as new threats are detected and patches are created
Often finds out about zero-hour (software flaw) attacks when advised by programmer Seeks out data on zero-hour attacks and doesn’t wait for official statements
Update software on a regular basis Updates software as soon as security updates are available to prevent attacks

 

Most importantly, most MSSPs work with multiple clients at the same time. This means that they are able to monitor several systems at once. Fewer people to cover more bases helps relieve the need for any one company to hire a complete security staff. Sharing all of these skills helps to make sure that your company has what it needs, 24 hours a day, 365 days per year.

Is Hiring an MSSP Cost Effective?

The short answer is, yes. An MSSP is much less expensive than trying to hire your own staff, even if you could find them. The shortage has created wage pressure. The best people in the business are more expensive than they might be if there wasn’t so much pressure.

Spreading the expense of a 24-hour staff makes it less expensive for everyone. In fact, only the very largest companies and those who are 100% online, like Facebook need to have a full-time, dedicated security staff.

A Quick Guide to Hiring the Right MSSP

Finding an MSSP that meets your needs isn’t difficult, but there are a few things that you should look for and ask about:

  • Do they offer 24-hour protection and support?
  • Do they understand your industry and its specific regulatory and practical needs?
  • Are they prepared for a long-term security relationship?
  • Can they describe precisely what security protections they will put in place and why?
  • Will they assist with the development of a cybersecurity policy?
  • Will they help you train and educate your staff?

 

Each of these and many more criteria should be looked at when seeking a firm to work with.

Integrate an MSSP into your IT Team

Bringing in an MSSP should not be difficult for your existing IT team. The MSSP acts as your dedicated cybersecurity personnel. Since there is very little overlap once systems are secured, the two teams should be able to work closely together to protect company assets and keep your firm safe from cyber-attacks.

An MSSP can help Overcome the Cybersecurity Skills Shortage

In short, because it is dedicated to cybersecurity and they allow you to tap into the shared skills of an entire team, an MSSP can help you avoid the struggle to find cybersecurity experts for your staff. With a single phone call, your company can have all of the cybersecurity protection it needs without struggling to find personnel who are both qualified and available.