Cyber Security Skillset Shortages and the Great Resignation

There's so many articles, research papers and surveys recently about "the great resignation". Couple this with the continued skillset shortage in the cyber/infosec space and we definitely have a pretty hefty issue. I'm lucky I can say our attrition rate at Loop is almost non-existent, but it takes a lot of time and effort to make sure my staff are looked after and happy in their roles. On the flip side I deal with dozens of existing, new and potential clients every week and the skillset shortage, coupled with trying to retain security staff, is a major issue for them.

The byproduct of lack of skills and losing staff is increased cyber risk. As we all know, security is constant. There is no point where we get to say "That's it. We're done. We're secure!" Organisations have policies, standards, regulatory, legislative and contractual compliance obligations to adhere to. There are new projects, new opportunities, and continual business changes. Changes to threat landscapes, changes to risk profiles. An organisation short of staff or without the adequate skillsets to perform these ongoing tasks place themselves in a position of increased cyber risk.

If you look at some of these surveys, the numbers are pretty alarming. In one survey 84% of security respondents have had someone quit in the last 6 months heavily impacting their team and placing more load on them to take up the slack. 45% of respondents in the same survey said they already had a shortage of employees in their teams even before losing people. In the US there are currently close to 600,000 unfilled security positions. Loop is growing rapidly and I spend a lot of time recruiting and Australian numbers (percentage-wise for our population) are probably pretty close. Finding exceptional talent is hard. I'll admit I'm probably pickier than most but I want to ensure all our employees have not just a strong skill set and great experience, they need to be personable to be able to work with a variety of clients across varying sectors, but they also need to be a strong cultural fit for the company. Without that, retention becomes even harder, not just for that individual, but it can have a detrimental impact on their teams which then impacts the team's job enjoyment and quality of life.

Our focus is on the small to medium market which has its own specific security issues when it comes to staffing. For most in this area, it's hard to even justify one full-time security resource let alone a whole team. If they do go down the path of hiring that one person, they need someone with a vast array of skills and experience to be able to address all the different focus areas of their cybersecurity strategy. It's not a cheap resource, and with the skillset shortage at the moment, security professionals are getting paid exorbitant amounts so it's even harder for clients to hold onto that individual.

COVID-19 not only changed the way we do business, but it changed a lot of people's perceptions of the world, especially how they envisage their job roles. The impact of lockdowns and isolation over such a long period, coupled with workloads increasing and being always connected to work, is definitely a key driver to the great resignation phenomenon. And as a result, if you will let me get all cyber risk nerdy and start talking about risk = impact x likelihood... when it comes to having adequate staffing to perform your required security functions, skills shortage + great resignation + exorbitant wages just took likelihood through the roof, and that risk you had before is now definitely beyond your organisation's risk appetite!

So what's the solution to this? Let someone else deal with everything I've talked about above. In risk terms, a common risk remediation strategy is transference of the risk to someone else. Simply put, is cybersecurity your organisation's core business? If it's not it's going to be near impossible to find the right resources. How do you know the exact skillsets they need to support your specific business and be future proof for business changes? What experience do they need? I can tell you from interviewing hundreds of people, that what's in CVs doesn't always add up when you start to drill into their experience and know the right questions to ask. Man, i could tell you some wild interview stories but this article is already too long 😀

Long before COVID, we developed services to solve the exact problem above because it was always there in the small to medium business space. We have clients coming into their 6th year of working with us this way so these services are mature and proven. There's no skill shortage as you're leveraging whole teams with vast arrays of skills and experience. There are no staff retention issues because we never have single points of failure with our clients. They deal with teams so even if we do lose someone, the impact on our clients is non-existent. And I'm not talking about these adhoc task-driven "virtual CISO" type services that are becoming popular with a lot of security companies. Our services are outcome-driven with clear plans and goals, we help develop and constantly drive your strategy, we embed ourselves within your organisation and become part of the team. I'm proud to say a very much loved part of the team as most of our clients feel more like friends than clients which makes work a whole lot more enjoyable.

I didn't want this to turn into some sales pitch, but rather to provide food for thought and other potential ways to solve some of the industry problems you might be facing. If you want to discuss further or even just bounce ideas off me, no strings attached, reach out. I never tire of talking infosec 😁