Although ransomware continues to be a primary concern of most organizations, human error is — and will continue to be — the greatest cyberthreat. Organizations are increasingly facing a lack of basic cybersecurity knowledge and skillset, and a number are turning to managed service providers (MSPs) to fill that gap.
The growing cyber knowledge and skills gap
There are 3.5 million unfilled cybersecurity jobs globally — an increase compared to 1 million vacancies in 2013. Meanwhile, the demand for information security analysts in the U.S. will grow by 33% as of 2030, compared to just 8% for occupations overall. The demand is understandable, given that there were more than 847,000 reported internet crimes in 2021, up from less than 468,000 in 2019.
This means a company may seek at least a dozen people to staff a 24/7/365 security operations center (SOC), but could have to get by with only three or four. Those staffers will struggle to field an onslaught of non-stop alerts and eventually burn out and leave — two-thirds of IT professionals say alert fatigue directly contributes to turnover. When they depart, they’ll take all of the knowledge of the company, systems and processes with them.
In addition to knowledge gaps due to limited cybersecurity staff and employee turnover, organizations face another security challenge: a lack of employee cybersecurity awareness. Not only do organizations struggle to fill IT security positions, they must also focus on training employees to mitigate cyber risk. Training employees just to spot phishing emails is not enough. Security leaders should ensure they are training employees across the organization in many aspects of cybersecurity, including password hygiene and accurate system configuration.
In contrast, on the adversary side things couldn’t get better. Barriers to entry into the cybercrime space are ridiculously low, and affordable tools are readily available on the dark web. As a result, bad actors can launch a cybercrime business for less than $1,000. Before long, they’re paying their recruits more than their target organizations do because they’re making so much money. They also offer vacation time and retirement plans, just like a “real” employer.
What can chief information security officers (CISOs) do to close this knowledge and skills gap and improve their organization’s security posture against the growing threat of cyber gangs? Some have chosen to start by consulting an MSP to fill in the gaps.
Choosing an MSP: What security leaders should know
MSPs offer services that can help organizations close the cybersecurity skills gap and harden their networks against cyber threats. Before choosing an MSP, consider the following:
- Conduct an audit: First, take a look at the mix of people, processes and technology needed at the organization and identify security gaps. For example, a lot of mid-sized companies have not migrated to the cloud yet due to security concerns and lack of skilled staff. Focus on MSPs that provide a comprehensive list of services such as infrastructure management. Security should be a foundational part of every conversation.
- Evaluate Security as a Service offerings: Security leaders can consider Security as a Service solutions to help force-multiply the reach of their IT staff. MSPs can provide security analysts who can remove the burden of triage from in-house IT staffers, sort and classify alerts, and conduct investigations. A CISO’s internal team members then can prioritize security initiatives that contribute to their organization’s overarching strategic vision.
- Define organizational security posture: Assess the current security posture and define future goals for scale and security. Being clear on the business and security outcomes of cybersecurity initiatives can help a team reach success.
Organizations can close the cybersecurity skills gap and enable CISOs to hand off the onerous burden of alert monitoring/detection and response by working with external partners. While MSPs can be a great part of an organization’s IT team, cyber leadership should continue to invest in cybersecurity awareness training across the entire organization to measurably reduce data breaches caused by human error.