Cybersecurity Has a Workforce Gap

As the recent ransomware attack on the Colonial Pipeline illustrated, hackers are busier than ever – and making more inroads into critical components of everyday life.

While the disruption of the country’s largest pipeline for refined oil products (and the ripple effects that attack caused) caught many people by surprise, law enforcement officials were likely a bit less shocked. The average payment by victims of ransomware jumped 31% in the second quarter compared to the same time period in 2020, according to the U.S. Federal Bureau of Investigation. And cybersecurity complaints to the FBI more than tripled during the pandemic last year.

Government officials have been scrambling for years to keep up – and they’re looking to corporations for help. Back in 2019, FBI Director Christopher Wray told the Council on Foreign Relations that the best way to combat increasingly aggressive hackers was through partnerships with private sector computer security experts.

“The reality is that the threats we face today are too diverse, too dangerous, and too all-encompassing for any of us to tackle alone,” he said. “We’ve got to figure out more and more ways to work together, particularly with all of you in the private sector. We need to focus even more on a whole-of-society approach because in many ways we confront whole-of-society threats. It is very clear to me that the next few years will be very much defined by what kind of progress we can make with private-public partnerships.”

Earlier this year, Wray continued to push for cooperation, saying at Fordham University’s International Conference on Cyber Security that “there’s a saying that the best time to patch the roof is when the sun is shining. It’s the same concept here. We want people to start to build those relationships with their local FBI field office before they have a major intrusion.”

Part of the problem, though, is there’s a shortage of private-sector cybersecurity professionals too. The 2020 (ISC)² Cybersecurity Workforce Study examined the global talent shortage in the field and found that companies could use 3.1 million additional workers, nearly double the amount that exist today. (In the U.S. alone, another 879,000 are needed.) More than half of the study’s respondents – some 56% – said cybersecurity staff shortages were putting their organizations at risk.

“The cybersecurity workforce gap, simply put, is the difference between the number of skilled professionals that organizations need to protect their critical assets and the actual capacity available to take on this work,” the study said. “It is not an estimate of open positions available to applicants.”

The good news is that gap shrunk from 4 million to 3.1 million last year. The bad news is some of those gaps are in critical roles. Colonial Pipeline, for instance, reportedly had two key security leadership positions vacant when it was hit with the ransomware attack.

Surprisingly, despite the risks and recent incursions, such as the hack of SolarWinds, which compromised a number of U.S. government agencies and major corporations, there’s not a big push to boost hiring in the cybersecurity space. Some 48% of respondents to the (ISC)² study said they planned to increase their staffing in this area over the next 12 months, roughly the same number as the previous two years. (Curiously, 15% said they plan to decrease their cybersecurity staffing, a 5% increase over two years ago.)

Despite that shortage, however, the public-private partnership is still occurring. The U.S. Department of Homeland Security (DHS) Cyber Information Sharing and Collaboration Program (CISCP) encourages corporate security collaboration via an unclassified information exchange of threats and vulnerabilities. Europol goes even further, with a website that lets public officials and private companies share ransomware decryption tools to avoid paying the hackers.

And sometimes, the partnership is more than just sharing information. In March, the National Cybersecurity Center, in conjunction with Google, launched a program to provide cybersecurity training to U.S. state legislators and their staff.

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.

Other Topics

Cybersecurity Technology