Over the past decade, organizations have continued to contend with the cyber talent and skills shortage. This is especially prevalent for the industrial sector, where organizations face increased cyber risks as they accelerate digital transformation. With increased connectivity, attacks are skyrocketing: the Cybersecurity and Infrastructure Security Agency (CISA) reported ransomware incidents against 14 of the 16 U.S. critical infrastructure sectors in 2021.
More attacks mean more demand for cybersecurity experts — but the talent chasm is ever-widening. From 2013 to 2021, the number of unfilled cybersecurity roles grew from 1 million to 3.5 million. As such, many existing cyber teams may be inexperienced and overworked, further increasing the risks of data breaches, attacks, or other unintended consequences. The stakes are high: in critical infrastructure, a system shutdown could halt the operation of a power grid, gas pipeline, or pharmaceutical supply chain, resulting in damage not only to an organization’s bottom line but to everyday people.
Cybersecurity leaders are facing an uphill battle. They’re playing whac-a-mole with their security postures — attempting to simultaneously block attacks and ensure compliance with the latest federal regulations, such as those from CISA, National Institute of Standards and Technology (NIST), and the Transportation Security Administration (TSA) — likely with under-resourced teams behind them. But there is hope. By tapping into outside resources — including new technologies and experienced consultants — these organizations can secure their increasingly interconnected systems and remain nimble despite growing threats.
The cyber skills gap: a one-two punch
The cybersecurity industry faces a variety of unique challenges when it comes to talent acquisition and retention. There are currently hundreds of thousands of unfilled positions, with many requiring certifications or degrees that few applicants have. And, of course, cybersecurity isn’t immune to the “great resignation” occurring across industries.
Despite these factors, companies are under renewed pressure to improve their security postures. As cyberattacks surge, the federal government has been busy releasing a number of updated security requirements for sectors across the board. The TSA, for instance, has issued multiple security directives for oil & gas pipeline operators, requiring new cyber protection plans, emphasizing proactivity and prevention to be submitted for approval. We’ll likely see a domino effect in additional critical industries; a July Office of Management and Budget (OMB) memo called for agencies to establish specific cybersecurity performance standards for their respective industries and to budget for federal review and assessments of those new plans.
Clearly, organizations are being held to new, challenging standards. This phenomenon has resulted in a one-two punch: not only are they fending off cyberattacks from sophisticated actors and attempting to reach compliance, but they are also grappling with unprecedented hiring and retention struggles. In trying to do both perfectly, neither goal ends up getting met, leaving infrastructure vulnerable to attacks and positions still unfilled.
The way forward
To adequately address the skills gap and its impact on cybersecurity posture, organizations should take a two-pronged approach consisting of organizational shifts and the use of external resources.
First, leaders must adjust their idea of what an internal cybersecurity team looks like. Rather than requiring that each employee come armed with advanced degrees, certificates, and detailed knowledge of all facets of cybersecurity, leaders should instead leverage technology to supplement employees with less industry expertise. This can look like automating administrative tasks with identity and user management for local and remote access, eliminating custom configurations for elements such as internal firewalls or jump boxes, or adding multiple layers of MFA to automatically secure different levels of access.
Furthermore, technology can also help secure operations in case of human error and plug any existing gaps; automated solutions providing workflow-based session recording and shadowing options can avoid common human mistakes with change management processes like doer and checker for cyber-physical systems. An effective policy-based automated solution will not only help with human error avoidance but will also assist in meeting the regulatory compliance requirements by recording the changes happening on critical cyber-physical systems for future reference.
Second, teams can leverage external resources to plug the gaps, particularly when facing a new iteration of federal security requirements. To boost a smaller or newer cybersecurity team, companies can partner with experienced consultant teams to guide cyber-hardening and federal compliance processes. Independent expertise can be particularly helpful when integrating modern security approaches, such as zero trust, into existing strategies. Ultimately, the right partner can identify the right projects to prioritize, reduce the time it takes to reach goals, and help implement the best easy-to-own technologies to meet customer needs. Additionally, with the right cybersecurity underpinnings, remote access to operational environments can be fully implemented, increasing the productivity of personnel who no longer have to travel to individual sites for their work.
Cybersecurity’s inflection point
As cyberattacks multiply in frequency and the government mandates new and better security postures, it’s no longer sufficient for organizations to hope for the best from small and potentially inexperienced teams. But if they can adapt via technology innovation, organizational shifts and use of external resources, they’ll set themselves up for long-term success.