Why recent cyberattacks are shining a spotlight on the state of cybersecurity today
With the wide variety of tools available to cybercriminals, there is a significant need to introduce more qualified defenders to level the playing field. However, this is far from reality due to a well-documented skills gap. The gap is a problem that many understand, but few know how to solve.
According to a global study conducted by ISSA and ESG, the cybersecurity skills crisis continues to worsen for the fourth year in a row. It has impacted nearly three-quarters (70 percent) of organizations.
Should you pay the ransom?
We cannot address this skills gap by simply teaching more people to operate vulnerability scanners — we need an influx of professionals who can think like attackers and proactively defend their organizations. Why? Well, the recent cyberattacks against targets like the Colonial Pipeline, Florida's water supply and JBS meat supply are shining a bigger spotlight now on the growing need for cybersecurity professionals and the state of cybersecurity skills today.
As attackers continually develop and test out new threat vectors, the only way to ultimately level this playing field is with human defenders who are every bit as creative and persistent as the adversaries.
There are a lot of great security products available today, and most of them do a pretty good job of doing what they are designed to do. But no matter how well-designed these solutions are, they are mostly designed to look for known issues, while many cyberattacks involve new, creative techniques used by the attackers. Moreover, the defenders within the industry are hopelessly outnumbered and need to be trained to keep up with the ever-changing cyber risks. Unfortunately, this will remain the case if we continue only recruiting cybersecurity candidates who "fit the mold."
Who exactly are these candidates who "fit the mold?" Today most hiring managers want to hire those with hands-on operational IT experience and sound cybersecurity skills. There is nothing wrong with expecting these qualifications, but unfortunately, there aren't enough such candidates available to meet the demand. While cybersecurity leaders acknowledge the issue, few have found effective, working solutions.
Great cybersecurity pros are those who can think critically, learn new things actively and who can come up with creative and practical solutions to solve the ever-changing cybersecurity problems we face today. If we can find people with such traits, even if they lack sufficient IT or cybersecurity knowledge, they can succeed in cybersecurity with appropriate training and mindset development. This new, diverse approach to recruiting talent for cybersecurity will open up the talent pool to allow us to practically solve the cybersecurity talent gap. We need to broaden the pool to include candidates who don't fit the traditional profiles but possess the mindsets and traits to succeed in cybersecurity with appropriate training.
Forward-thinking companies have a great opportunity to create an environment and new way to recruit talent into cybersecurity. Someone can switch careers, learn something new, take a chance on this industry and succeed.
We need to train different types of people from different backgrounds. In addition to complex and technical skills, soft skills are also essential to succeed in this field. Cybercriminals are taking advantage of specific weaknesses in human behaviors to get into networks and gain access to systems. For cybersecurity professionals to defend against cybercriminals, soft skills are needed to improve an organization's security posture, as it requires communications, influence and leadership skills from cybersecurity pros.
The most important factor in determining an employee's success in cybersecurity has little to do with the person's background — it is curiosity, creative and practical problem solving, perseverance, attention to detail and the desire and ability to constantly learn new things. It's the ability to step back when you get stuck, not give up, not do the same thing over and over again, but think of another approach that can open new doors. Instead of wishing for more time or resources, it is the ability to do with what you have to solve the problem at hand. We call this the Try Harder mindset at Offensive Security, and it's a foundational skill upon which employees from all backgrounds can build a successful cybersecurity career.
There is no shortcut to hard work. As such, continuous learning is crucial. Stretching yourself past your comfort zone is what makes us grow. When you're doing things you're not as comfortable with — that is where you learn the most and grow the fastest.
One way that we've found to help develop this mindset is to take breaks when you're trying to accomplish a particularly challenging task, especially when you have strict deadlines or limited hours. For example, some OffSec students learned that while they possess the required technical skills to pass the OSCP exam, they fail because they have not learned how to handle a stressful situation. When you get stuck, it's important to take a break. It's during those pauses that new ideas can come to your mind in a very organic way that can give you a good hint or breakthrough idea.
Attention to detail really pays within this field. As you learn and do more, you will gain wisdom that will allow you to have hypotheses in the field. Trial and error will help you learn to persevere and to come up with creative solutions.
Phishing simulations & training
Cybersecurity risks are real and will get worse before they improve. Data breaches are a question of when not if.
Cybersecurity is a people problem. To defend our digital worlds, we need well-trained cybersecurity pros with the right mindset and skills.
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- Why recent cyberattacks are shining a spotlight on the state of cybersecurity today
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization