Security talent crunch raises concerns of a bumpy ride for cos in 2022

With digital transformation on the rise, so is the risk of cyberattacks. But there aren't enough professionals to secure and manage the online world, which is making cybersecurity professionals a hot property for companies.

The latest report by the World Economic Forum (WEF) said the world is lacking 3 million cybersecurity professionals. “There is an undersupply of cyber professionals—a gap of more than 3 million worldwide who can provide cyber leadership, test and secure systems, and train people in digital hygiene,” it said.

The sustained dearth of cybersecurity professionals could eventually impede “economic growth”. The report acknowledged that new endeavours to “democratize” cybersecurity -- such as furnishing security risk management tools free of cost -- may benefit small companies and other organizations to some extent. 

It added, though, that “there are concerns that quantum computing could be powerful enough to break encryption keys—which poses a significant security risk because of the sensitivity and criticality of the financial, personal and other data protected by these keys. The emergence of the metaverse could also expand the attack surface for malicious actors by creating more entry points for malware and data breaches.

This inversely gives rise to the demand for cybersecurity professionals. “Security consulting services, which include planning of cyber security strategies, policy development, building security architecture, etc., are expected to grow at a CAGR of 12.2% over 3 years to become a market worth $157 million by 2022,” said a PWC report.

“The security implementation services market in India is estimated to increase from $221 million in 2019 to $320 million by 2022, at a CAGR of 13.2%, given that drawing up effective cyber security strategies depend on successful security implementation,” it added.

According to Nasscom, DSCI, “the most advertised security job is 'Analyst.' However, there is a significant demand for Security Operations, Threat Management, Security Management, Identity & Access Management.” 

However, enterprises are struggling to find talented security professionals. In 2021, Sophos found, “67% of companies are having difficulty staying up to date with their cybersecurity environment and in-house skills are an important consideration in helping organizations tackle this issue.”

“Unfortunately, 59% of businesses agree that their company’s lack of cybersecurity skills is challenging for their organization, a marginal 3% improvement from 2019’s 62%,” it added.

Also read: Weak security controls push 50% rise in cyberattacks in 2021: Report

“Security is not just about mastering technology but the contextual application of it. The key is knowing the environment and applying appropriate controls. Enterprises look for professionals who have knowledge of both and therefore, often find it difficult to get the right mix in a professional,” said Yask Sharma, CISO, Indian Oil Corporation Limited.

The issue largely is that no amount of cyber security professionals from outside can fix cyber security. “Cybersecurity is a culture that you have to develop within your organisation. No external products or engineers can help with that as every engineer needs to be trained with this skill and most Indian engineers are hardly trained on this front and many do not understand the concept of privacy, although some may understand cyber security,” corroborated Srinivas Kodali, Researcher, Free Software Movement of India.

The evolving and ever dynamic cyber threat environment needs highly agile and up-to-date cyber professionals to protect enterprises. “With a plethora of technologies and evolving domains, finding the right fit is a huge challenge and there is currently a large demand versus supply gap in the talent market. Structured and planned upskilling of existing cyber teams on selected areas, especially, cloud and data security can help organizations stay ahead of the curve,” points out Samir Khare, Vice President – Cybersecurity, APAC, Capgemini. 

The solution, however, is simple but time-consuming — either internal organic growth or long-term contractual engagements.

“Remember the attackers are hitting where it hurts the most and they spend a lot of time in finding the spot and therefore, the defenders need to know their areas better than the attackers,” Sharma added.

This phenomenon, however, is a silver lining for comparatively smaller cyber security businesses as they are seeing a spike in demand. “With most employees working from home, the number of cyberattacks have increased around 300% in the last year alone. With our interaction with CISOs/CIOs community we hear that they need 10 cybersecurity professionals in a team, (while) they currently have three,” said Sandip Kumar Panda, Co-Founder, and CEO at Instasafe Technologies.

“Mid-size and small organisations who do not have cyber experts in their teams are now outsourcing their security services to various cyber security vendors. So, the need of the hour is how SMEs and enterprises work closely and fill this gap,” he added.