The widely documented cybersecurity skills shortage has long been a source of frustration for enterprise IT and HR departments. But the recruitment problems they face are set to become even more demanding as organizations increasingly migrate to the cloud—presenting a new set of challenges to securing their IT.
In 2015, global networking technology leader Cisco estimated that there were more than 1 million unfilled security jobs worldwide. And according to Michael Brown, CEO of security software giant Symantec, this figure will rise to 1.5 million by 2019. The US is one of the countries worst hit by the shortfall, with the number of unfilled positions believed to be more than 200,000.
At the same time, attacks are becoming more sophisticated, more disruptive, costlier and more frequent. This can only mean one thing for your business: you’re more likely than ever to become the next hacking target.
The public cloud can play a pivotal role in helping organizations mitigate the risks of a malicious attack, as it provides a fundamentally more secure IT environment than traditional on-premise systems. Yet, despite this, security remains a key concern to organizations considering migrating their applications.
This concern has been fueled by recent high-profile cloud breaches involving workplace chat platform HipChat and content delivery network Cloudflare. Even national intelligence organizations are not immune to potentially harmful IT vulnerabilities. But, above all, the most pressing challenge to enterprise IT is sourcing the right workforce skills to address the very specific needs of security in the cloud.
In this post, we explore the causes behind the global cloud security talent shortage, highlight some of the skills that are so badly needed, and suggest a number of solutions that can help enterprises overcome the problem.
Why Is There a Shortage?
- Rapid Growth and Innovation
Long before widespread adoption of the cloud, the supply of cybersecurity skills had been struggling to keep up with demand. The web had been growing at an exponential rate, opening up traditional IT to the outside world and providing new entry points for hackers to penetrate enterprise infrastructure. With the advent of the cloud, this problem has only been exacerbated; conventional criminals quickly recognized the scale of opportunity in cyberspace and began to switch their focus to hacking and crime in the virtual world.
- New Security Tactics
As more organizations migrated their systems and major workloads to the cloud, the cybersecurity goalposts shifted. As a result, they now needed people who also fully understood the dynamic, distributed, and ephemeral nature of the cloud, where:
- You can spin up and close down resources at the click of the button
- Network addresses frequently change
- Systems are based on an application architecture of loosely coupled distributed microservices
- You share infrastructure with other public cloud users
This demanded a shift away from the traditional security approach, which was tied up in packet sniffing, physical network devices, and perimeter lockdown. Instead cloud security would focus much more on protection of individual workloads and environment configuration.
Download Hackproof Your Cloud to learn more about the new IT security landscape.
- Lack of Training for Specialized Skills
Another problem has always been the lack of professional training and formal education aimed at preparing people for a career in cybersecurity. This means companies continue to rely heavily on the existing security talent pool today.
But what makes recruitment all the more challenging is the fact that they need professionals with not only specialist knowledge of cloud security, but also a strong understanding of the many technologies that intersect with the cloud—such as DevOps, big data, and virtualization. This can require years of experience, which you simply cannot get by recruiting computer science graduates straight out of university.
For any or all of these reasons, it’s clear that interest in cyber security roles is underwhelming when compared to other disciplines, per a recent report from Indeed.com.
What Skills Are Needed?
By and large, cloud security work is a multi-disciplinary role. It draws on both technical knowledge and the interpersonal skills needed to deal with different teams and types of people across the enterprise.
The ideal candidate will not only offer expertise in cloud-based security. They will also have a solid grounding in traditional cybersecurity, covering areas such as firewalls, incident detection, and incident response. They’ll be interpreting log data from a wide range of sources, such as applications, servers, and network monitoring services, requiring strong analytical skills and a good understanding of big data technologies, predictive modelling, and visualization tools.
Moreover, they will have thorough knowledge of the range of services offered by your public cloud provider (or providers) of choice, and be well versed in compliance and regulatory frameworks, such as PCI DSS, HIPAA, and NIST.
In addition, cloud security professionals will be strong advocates of automation. They will drive the DevSecOps agenda, building security into infrastructure management, and continuous integration (CI) and continuous delivery (CD) pipelines.
And, finally, diligence, persuasiveness, and strength of character are essential qualities of any cloud security professional. In many high-profile attacks, such as the 2014 Home Depot breach, it is possible the company either ignored the warning signs or failed to heed insight acquired from previous incidents. This underscores the need for security practitioners to be highly proactive, continually maintaining standards and upholding best practices.
What’s the Solution?
Cloud security expertise is not only hard to come by, but also comes at a high cost, with salaries ranking amongst the highest in the IT industry. So it pays dividends to look outside the traditional avenues of employment agencies, advertising, and recruitment websites.
- Nurture homegrown talent: One of the best ways to recruit people for a career in cybersecurity is to look internally. You understand your workforce. You’ve seen the work they do, know their capabilities, and can see how well they might adapt their skills to suit the demands of cloud security, as mentioned above. What’s more, your homegrown talent already knows your organization, its people and its processes, and you have the scope to tailor their training to the specific needs of your business.
- Go where the hackers hang out: Many security experts are former hackers—good and bad—who have turned their technical skills and intellectual curiosity to protecting enterprise infrastructure. You can seek out their expertise in a variety of places, including blogs, forums, and social media. You could also build relationships with the hacking community through hackathons, meetups, and even with universities.
- Cast a wider net: Your next cybersecurity hire doesn’t necessarily have to come from a cloud computing or direct IT background. Professionals in the military, law enforcement, insurance, finance, and telecommunications fields may have experience in tackling cybercrime. Even further afield, people such as statisticians or successful gamblers will have a good instinct for risk assessment and may have a skillset that’s aligned to your security objectives.
- Consider partnering: An outsourced cloud managed service partner (MSP) or security as a service (SECaaS) provider can eliminate the headache of managing your security altogether, leaving your business to focus on what it does best. What’s more, these services often have considerable specialist expertise at their disposal and are better equipped than your own organization to address complex security challenges. (You can check out a few of our MSP partners, many of which are Gartner Magic Quadrant leaders like Smartronix, Rackspace, and JHC.)
The Role of Automation
The widening skills gap is great news if you’re a highly sought-after security professional. But it’s far from good news if you’re one of the many organizations seeking security talent—as it’s a seller’s market, you’ll need to pay top dollar for the expertise you need.
But you do have other options.
Automation, in particular, can prove instrumental in helping your enterprise meet your cloud security obligations. Better still, building automation into your cloud security processes doesn’t necessarily have to be a complex and time-consuming undertaking.
That’s because dedicated third-party cloud management platforms can provide off-the-shelf security automation. They can monitor your cloud for configurations and activity that could potentially leave your enterprise infrastructure exposed. They can recommend actions based on cloud security best practices. And they can provide you with the tools to aid and maintain continuous compliance.
What’s more, many of these platforms have been developed by cybersecurity experts, helping you to plug your own knowledge gap by taking care of many of your security technicalities.
Possibly the the most unique challenge to securing complex and dynamic cloud infrastructure is the vast amount of log data it generates from constantly proliferating services and instances. This is a problem not even the best of security experts can manage without the right cloud monitoring tools. So when it comes to maintaining control over large-scale enterprise IaaS environments, cloud management platforms aren’t simply an option, but an absolute must.