How to Tackle the Cybersecurity Skills Shortage  

If your organization is having trouble hiring people with cybersecurity skills, it’s not alone. A 2021 study from (ISC)² points to a shortage of more than 2.7 million cybersecurity professionals around the world.[1] Another study, from the Information Systems Security Association, found 95% of cybersecurity professionals don’t believe the skills gap has improved in the past few years. In fact, 44% said it has worsened.[2]

Among the consequences, one-third of respondents to Mimecast’s State of Email Security 2022 (SOES) report said insufficient security staff is one of their biggest email security challenges. Tellingly, this is up from 25% in 2021. Additional hiring and training are obvious steps forward – but so, too, can be investments in technology tools that help to minimize a company’s exposure to cybersecurity threats.

Cybersecurity Staff Shortage Leaves Companies Vulnerable 

The skills shortage affects companies in many ways. According to the (ISC)² report, the most common risks include misconfigured systems, incomplete risk assessments, slow patching, rushed deployments, and lack of full oversight over the security process or threat landscape. 

It also means an increased workload for talent-strapped cybersecurity teams – which often leads to burnout – and companies poorly positioned to respond to an ever-changing and expanding cybersecurity landscape.

That’s worrisome given a 7% increase in reported cybercrimes in the United States from 2020 to 2021, according to the FBI’s Internet Crime Complaint Center. Potential financial losses from these crimes were nearly $7 billion, with $2.4 billion lost due to business email compromise alone.[3] This is a significant concern, as 80% of companies in the Mimecast SOES report said they will likely experience an email-based cyberattack within the next year. Companies also face a variety of other threats, ranging from the Log4j vulnerability – which could remain in computer systems for a decade or more[4] – to state-sponsored exploits carried out by bad actors in China[5] or Russia.[6]

The cybersecurity skills shortage, coupled with limited financial and technical resources, has left many companies ill-equipped to deal with the threats they face. For example, only 64% of midsize companies have a cybersecurity incident response plan in place,[7] and many haven’t taken the step of identifying an incident response partner.[8]

Companies with fewer than 500 employees are in a similar situation – one further compounded by the belief among business owners that they are too small to be a target. A Digital.com survey found that 51% don’t have any cybersecurity measures in place,[9] while small business owners in a CNBC survey ranked inflation, supply chain disruption, and labor shortages as more important concerns than cybersecurity.[10]

Unfortunately, this belief is misguided. According to a 2022 Gartner report, cybercriminals are now focusing on shorter campaigns and smaller targets, particularly when it comes to ransomware.[11] Criminals also recognize that small businesses play an increasingly vital role in global supply chains, which makes them attractive starting points for larger-scale attacks.[12]

Confronting the Cybersecurity Skills Shortage 

Companies can take several steps to combat the cybersecurity skills shortage. 

• Fill more cybersecurity roles. This may seem like a Catch-22 given the high demand for qualified cybersecurity professionals, but industry experts suggest it’s possible if companies are willing to take two steps. One is to expand the talent pool to individuals with less formal cybersecurity experience or education but a willingness to learn and the ability to solve problems – the two most highly sought nontechnical attributes among cybersecurity personnel, according to (ISC)². The other step is to consider internal job candidates with transferable skills since they already know corporate culture and require a shorter training on-ramp than new hires. 
• Increase security awareness training efforts. Teaching employees throughout the company how to recognize common threats can help cybersecurity staff breathe a little easier. The Mimecast SOES report indicated that companies face a bevy of risks that result from employees’ mistakes, from poor password hygiene to using unapproved applications, such as personal email, online shopping sites, or cloud-based storage. With only 23% of companies saying they conduct cybersecurity training on an ongoing basis, it’s clear that companies need to rethink how often they train employees – and ensure that training actually improves employee behavior.
• Address the cybersecurity basics. The U.S. Small Business Association[13] and Federal Communications Commission[14] offer numerous recommendations for helping companies strengthen their cybersecurity. These include, but are not limited to, using firewalls, secure Wi-Fi networks, up-to-date antivirus software, multifactor authentication, and physical protections for laptops and mobile devices. These may seem like basic steps, but not everyone is implementing them. Even after suffering a cyberattack, less than half of businesses installed antivirus software, only 25% implemented staff training for cybersecurity, and 8% made no changes at all to cybersecurity practices, according to Digital.com.
• Provide technical solutions. Beyond covering the basics, companies can look to an array of technical solutions that streamline common cybersecurity tasks, such as identifying and remediating threats or authorizing new devices. Unfortunately, using dozens of products can result in repetitive or contradictory alerts that go unnoticed over time and increase the risk of missing a legitimate cyberattack. A better approach is to rely on a few integrated, best-of-breed solutions rather than using too many – or too few – security tools.

The Bottom Line

Amid a global cybersecurity skills shortage, today’s companies need all the help they can get. Hiring cybersecurity staff is an obvious starting point, but it can take many months to fill an open cybersecurity position and then train a new hire. Fortunately, a range of security tools can also minimize a company’s risk of a cyberattack and make an impact immediately. Mimecast’s solutions for email security, web security, and incident response help companies strengthen security through intelligence and automation, while security awareness training helps to reduce the risk of human error.

[1] “2021 Cybersecurity Workforce Study,” (ISC)²

[2] “The Life and Times of Cybersecurity Professionals 2021,” Information Systems Security Association

[3] “Federal Bureau of Investigation Internet Crime Report 2021,” Internet Crime Complaint Center

[4] “Review of the December 2021 Log4j Event,” Cyber Safety Review Board

[5] “People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices,” Cybersecurity & Infrastructure Security Agency

[6] “Update: Destructive Malware Targeting Organizations in Ukraine,” Cybersecurity & Infrastructure Security Agency 

[7] “Cybersecurity Trends for Mid-Sized Organizations,” Egnyte

[8] “The Cybersecurity Incident Response Market Abounds With Choice — But Please Choose Before You’re Hit!” Forrester

[9] “51% of small business admit to leaving customer data unsecure,” Digital.com

[10] “America’s small businesses aren’t ready for a cyberattack,” CNBC

[11] “How to Respond to the 2022 Cyberthreat Landscape,” Gartner

[12] “The cybersecurity skills gap persists for the fifth year running,” TechRepublic

[13] “Strengthen your cybersecurity,” U.S. Small Business Association 

[14] “Cybersecurity for Small Businesses,” Federal Communications Commission