With an ever-increasing and ever-evolving wave of sophisticated attacks reaching record levels and with cyber leaders stressing the fact that severe security events will take place in the coming years, it’s clear that the game in cyber has changed.
Understaffed and overwhelmed security teams are at breaking point as they cope with this new cyber normal. Many businesses are facing the challenge of equipping their teams with the right talent but also fully assessing the skills within their cybersecurity teams and the way they are progressing in careers within the cybersecurity space.
It seems that the significant current skills gap is not just a matter of recruitment and upskilling but also a matter of measuring the existing talent and capabilities within a team.
Haris Pylarinos, Founder & CEO at Hack The Box, met with the Stott and May team for their Cybersecurity In Focus 2023 report to dive deep into the current talent acquisition challenges and the technology trends that impact the cybersecurity industry, security leaders, and internal talent teams across the world. Let’s see what he said.
The challenge I often see that stands in the way of high-performing security functions is the ability to stay outward looking and ensure that internal skills stay up to date. You can hire the best security professionals out there with field experience, but the problem is that this knowledge can degrade over time because cybersecurity is evolving at such a rapid pace.
You need to be conscious that when security professionals join your team, they become purely focused on your organization. That means they miss a lot of experience and context they would otherwise gain if they were, say, working for a vendor providing services to multiple organizations. As a result, we are seeing the higher-performing security functions invest more heavily and more consistently in upskilling and reskilling.
Security leaders could take a few immediate actions to tackle this challenge. Investing in an upskilling and reskilling platform would be a positive start. You could also consider hosting internal competitions based on fictional scenarios, mimicking an incident to keep your team sharp and aware.
Another obvious challenge for CISOs is the basic fact that there aren’t enough experienced professionals out there to fill internal positions. The current global cyber security shortage stands at 3.4 million.
Many organizations are responding to that challenge by reskilling people. They may target talent from similar functions with adjacent skill sets. For example, you could take an IT engineer and fast-track them through cyber security training to allow you to fill tier-one SOC Analyst roles or possibly even Junior Penetration Testing roles.
This is a smart move in the current climate if you can’t hire all the cybersecurity professionals you need. CISOs should attempt to find a good balance between making experienced hires, where there is candidate availability, and having a plan for those IT engineers who have an appetite to upskill and evolve into cyber security roles.
Undeniably ransomware is still here. As long as there is a financial incentive for cyber criminals, ransomware will continue to get more and more sophisticated. Cloud also remains a focus.
While very secure in terms of infrastructure, you can, as an organization, be insecure based on your configuration. Some unique attack methods span from the out-of-the-box functionality provided by vendors.
I see the risk rising in the cloud overall; the more we migrate, the more cybercriminals will definitely target it. IoT also presents lots of threats. Things like smart offices, smart lamps, and meeting rooms will all be targeted.
They already are, and this will continue because the more we make our lives easier through automation, the more we expose ourselves to highly creative cybercriminals. The more we merge the physical world with the virtual, the more risk there is. Given the evolution of the attack landscape, the number one thing I would focus on as a CISO is employee awareness.
Around 80% of all attacks start with a phishing attempt. Even with 2FA, if employees are not fully aware of the nature of cybersecurity threats and how they can jeopardize organizational security, the risk is still there.
I’ve heard stories of breaches where the hacker bypassed the 2FA simply by relentlessly spamming it. After countless requests, eventually, internal employees will accept a notification just to make it stop.
So internal understanding and security awareness are key. Taking that a step further, when looking at the security team, it’s essential that everyone, from Security Engineers to SOC analysts, have at least some knowledge of offensive security and how an attacker operates. After all, the best person to tell you how to secure your house from a thief is a thief. Offensive security knowledge is necessary; we must think and act like attackers to better protect ourselves.
First of all, it needs to start from the top. If the issue of security is taken seriously at a board level, the rest will follow. If it’s treated as a compliance exercise, it won’t be seen as a priority for the organization or the people working within it. So that’s point number one around security awareness - ensure you have a high level of executive sponsorship.
CISOs could raise visibility around their security program by gamifying the experience for end-users; it’s about making security fun, relevant, and engaging. In my last company, we decided to send phishing attempts internally to our employees as a security awareness exercise.
The first time we ran this exercise, lots of people took the bait. The second time, more people remembered it and became cautious and more likely to report external phishing attempts. So the takeaway is to use gamification and role-play to make security principles more accessible to the everyday user.
Don’t pass it off as a mandatory awareness course; that’s not the way. Articulate why security is a serious issue, provide some analogies, and use real-world examples of breaches so that they understand that cyber security attackers are not just targeting huge organizations; they’re attacking everyone. Users need to question and challenge everything that is presented to them - whether in the physical world or the virtual one.
Finally, look for opportunities to make the security function more visible. This could revolve around messaging and internal communications and go all the way through to having an internal security brand.
I’ve seen companies engage with end-users and increase visibility by handing out branded security swag. I’m not sure how scalable that is, but it’s another example of security leaders becoming more creative about how they engage with the broader business.
I think there will ultimately always be limitations around just how far we can go with security automation. For example, there are often multiple ways to remediate a vulnerability, and not all remediations work in the same environments in the same way.
You’ve also got to consider the business impact of any remediation, which will vary from organization to organization. I wouldn’t trust a computer to patch everything for me; I would want a human to review it and manually test it afterward. So at the moment, there are limitations to where this automation journey can go.
However, I do see lots of value in automation. Vulnerability scanning, for example, is amazing and saves a lot of time, but you’ll still need a person to classify what’s critical and what’s not. Still, in principle, the more you automate, save time, and eliminate legwork, the more you can prioritize your resources on higher-value tasks.
We naturally see a lot of demand around cloud security. It’s a hot topic and highly relevant to security professionals right now. I’d say there’s also emerging interest in AI hacking, which is probably more future-focused. Incident response and threat hunting will also continue to be key topic areas due to the importance of these roles both now and in the future. If we don’t seek out threats, they will only multiply.
I think it’s important to define what we mean by ‘hardest to fill’. Are we talking about areas where we have a real acute shortage of candidates? Or the most complex hire you will make for your security function?
If you are looking at it from a candidate scarcity perspective, then Penetration Testers will be fairly high on the list of tough positions to recruit for. It’s a difficult role and requires a lot of dedication. It’s a way of living—not just your profession.
You don’t finish your job at 5 pm; you continue to think about your work and study more. Those types of individuals are hard to find. It’s also not always seen as an easy discipline to break into. However, this is changing as crowdsourced bug bounty platforms provide an entry point to develop experience and build credibility.
If we move away from the candidate scarcity debate and drill into the importance of making the right hire, then the CISO position really needs to come into the spotlight. It’s arguably the most important hire you will make for a security function, which by default makes it an extremely difficult role to fill.
There are more CISO candidates in the market, but they will come in different shapes and sizes, so finding the right fit for your organization is key. Ultimately, you will be ten times more careful hiring a CISO than an individual contributor.
First of all, we have to rethink the way we hire. We should move away from a traditional hiring model that focuses solely on university degrees and specific certifications. I know many very skilled individuals and professionals who don’t have any of the above, but they are very good at what they do.
So we really need to look at how we assess candidates in this industry. For example, you could send them through assessment tests, have them do a demo, or have them prove their skills through a practical exercise. I don’t mind how it’s done, but relying solely on a university degree will actually sabotage your hiring efforts because it’s such a scarce candidate environment.
Another obvious coping mechanism we’ve already discussed is building and growing your own security talent. Hire IT Engineers and upskill them through an intensive 3-month training program. Trust me; if you do it right, you’ll get Cyber Security Engineers on the other side. Automation is obviously another option to do more with less, but I feel lots of organizations have already realized as much of the efficiencies that they are going to see in this space.
In this new world of work, there is also an opportunity to broaden the search radius for scarce skill sets. Even before the pandemic, our policy was to hire talent from wherever the talent is. It was less about location and more about candidate quality for us.
If you can create a global talent pool, it is better than having a local one. The only thing to consider is depending on the location, there may be timezone constraints. This could cause collaboration challenges, for example, so individual CISOs must be mindful of that. But if we’re talking about individual contributors who can deliver their work on their own timeline, it’s excellent. Clearly, there are additional security considerations with remote work, but at the end of the day, you’ll be able to attract top cybersecurity talent on a global scale by hiring remotely rather than just relying on a local talent pool.
Interested in getting more insights from CISOs on key themes that will shape successful security functions in 2023? Find Stott and May’s Cybersecurity in Focus report here.
Ophie, May 11, 2023