Why recent cyberattacks are shining a spotlight on the state of cybersecurity today
With the wide variety of tools available to cybercriminals, there is a significant need to introduce more qualified defenders to level the playing field. However, this is far from reality due to a well-documented skills gap. The gap is a problem that many understand, but few know how to solve.
According to a global study conducted by ISSA and ESG, the cybersecurity skills crisis continues to worsen for the fourth year in a row. It has impacted nearly three-quarters (70 percent) of organizations.
We cannot address this skills gap by simply teaching more people to operate vulnerability scanners — we need an influx of professionals who can think like attackers and proactively defend their organizations. Why? Well, the recent cyberattacks against targets like the Colonial Pipeline, Florida’s water supply and JBS meat supply are shining a bigger spotlight now on the growing need for cybersecurity professionals and the state of cybersecurity skills today.
As attackers continually develop and test out new threat vectors, the only way to ultimately level this playing field is with human defenders who are every bit as creative and persistent as the adversaries.
There are a lot of great security products available today, and most of them do a pretty good job of doing what they are designed to do. But no matter how well-designed these solutions are, they are mostly designed to look for known issues, while many cyberattacks involve new, creative techniques used by the attackers. Moreover, the defenders within the industry are hopelessly outnumbered and need to be trained to keep up with the ever-changing cyber risks. Unfortunately, this will remain the case if we continue only recruiting cybersecurity candidates who “fit the mold.”
Who exactly are these candidates who “fit the mold?” Today most hiring managers want to hire those with hands-on operational IT experience and sound cybersecurity skills. There is nothing wrong with expecting these qualifications, but unfortunately, there aren’t enough such candidates available to meet the demand. While cybersecurity leaders acknowledge the issue, few have found effective, working solutions.
Great cybersecurity pros are those who can think critically, learn new things actively and who can come up with creative and practical solutions to solve the ever-changing cybersecurity problems we face today. If we can find people with such traits, even if they lack sufficient IT or cybersecurity knowledge, they can succeed in cybersecurity with appropriate training and mindset development. This new, diverse approach to recruiting talent for cybersecurity will open up the talent pool to allow us to practically solve the cybersecurity talent gap. We need to broaden the pool to include candidates who don’t fit the traditional profiles but possess the mindsets and traits to succeed in cybersecurity with appropriate training.
Forward-thinking companies have a great opportunity to create an environment and new way to recruit talent into cybersecurity. Someone can switch careers, learn something new, take a chance on this industry and succeed.
We need to train different types of people from different backgrounds. In addition to complex and technical skills, soft skills are also essential to succeed in this field. Cybercriminals are taking advantage of specific weaknesses in human behaviors to get into networks and gain access to systems. For cybersecurity professionals to defend against cybercriminals, soft skills are needed to improve an organization’s security posture, as it requires communications, influence and leadership skills from cybersecurity pros.
The most important factor in determining an employee’s success in cybersecurity has little to do with the person’s background — it is curiosity, creative and practical problem solving, perseverance, attention to detail and the desire and ability to constantly learn new things. It’s the ability to step back when you get stuck, not give up, not do the same thing over and over again, but think of another approach that can open new doors. Instead of wishing for more time or resources, it is the ability to do with what you have to solve the problem at hand. We call this the Try Harder mindset at Offensive Security, and it’s a foundational skill upon which employees from all backgrounds can build a successful cybersecurity career.
There is no shortcut to hard work. As such, continuous learning is crucial. Stretching yourself past your comfort zone is what makes us grow. When you’re doing things you’re not as comfortable with — that is where you learn the most and grow the fastest.
One way that we’ve found to help develop this mindset is to take breaks when you’re trying to accomplish a particularly challenging task, especially when you have strict deadlines or limited hours. For example, some OffSec students learned that while they possess the required technical skills to pass the OSCP exam, they fail because they have not learned how to handle a stressful situation. When you get stuck, it’s important to take a break. It’s during those pauses that new ideas can come to your mind in a very organic way that can give you a good hint or breakthrough idea.
Attention to detail really pays within this field. As you learn and do more, you will gain wisdom that will allow you to have hypotheses in the field. Trial and error will help you learn to persevere and to come up with creative solutions.
Cybersecurity risks are real and will get worse before they improve. Data breaches are a question of when not if.
Cybersecurity is a people problem. To defend our digital worlds, we need well-trained cybersecurity pros with the right mindset and skills.