As the scope of the cyber hygiene challenge outpaces the expert resources available, security teams are losing ground in the effort to protect their organization. The security skills gap is hardly a recent development; open job requisitions and soaring salaries have been the bane of enterprise security for many years. But with no relief in sight, it's clear that traditional approaches to security talent just aren't working and cybersecurity training needs to be reexamined. It's time to try something different.
In our last blog on the findings of the JupiterOne 2022 State of Cyber Assets Report, we examined the proliferation of cyber assets and its implications for the ever-expanding enterprise attack surface. Now, in the second part of our five-part series, we'll focus on the human element of the crisis: the outdated cybersecurity training models that leave security teams chronically understaffed, overwhelmed, and struggling to meet their responsibilities.
Cybersecurity training has fallen behind reality
JupiterOne's analysis of over 370 million cyber assets, policies, and findings at nearly 1,300 organizations reveals a wide and growing divide between security responsibilities and skills.
Today, many cybersecurity degree programs and certifications remain focused on legacy IT technologies such as physical endpoints such as laptops and smartphones, premises-based networking, and other mainstays of yesteryear. How well does this align with the actual environments in which these professionals will work? Consider that:
- Nearly 90 percent of devices in the modern organization are cloud-based
- Physical devices such as laptops, tablets, smartphones, routers, and IoT hardware represent less than 10 percent of total devices
- Cloud networks outnumber physical networks by a ratio of nearly 60:1
Devices are still an important part of cybersecurity; after all, there are 110 devices for every employee at the average organization, while the average security team is responsible for 32,190 devices. But what about the security needs of the cloud-native, serverless architectures of the modern enterprise?
Security professionals need to close the cloud security skills gap
In the old days, security and IT teams worked together more closely—at least in physical terms. When IT deployed a new physical asset like a laptop, it was relatively easy for IT to make sure essential security measures were being implemented. In a cloud-native world, this isn't nearly as simple. Few security professionals have the cloud security expertise to provide the right guidance. And even if they do advise an engineer to turn on encryption in the cloud or set up alerts for data exfiltration, they lack the authority to make it an order—and time-pressed engineers have little incentive to slow deployment for the sake of security.
Cloud policy has also failed to keep pace with cloud risks. JupiterOne's analysis of 10,598,506 security policies found that over 99 percent of policy enforcement is automated, consisting of configurations, rulesets, and technical procedures. Yet even with this laudable progress toward automation, cloud policies represent less than 30 percent of total guardrails—and cloud assets still generate over 97 percent of security findings. It's no wonder that, according to analysts, at least 99 percent of cloud security failures in 2022 and 2023 will result from cloud resource misconfiguration.
It's clear that the rush to the cloud has proceeded more quickly than the maturation of cloud security, and the security skills gap has continued to widen. Organizations have yet to figure out what secure-by-design means in the cloud, understand the full picture of their evolving security risks, or determine what policies should be applied across cloud assets.
Closing the security skills gap and expanding the cybersecurity talent pipeline
Of the 32,190 devices in the average organization, 28,872 are cloud hosts. This cloud-heavy mix calls for new cloud-focused approaches to cybersecurity training and upskilling. At the same time, the industry needs to vastly expand the talent pipeline—and that means looking beyond college degree programs.
While bachelors and masters degree holders are the backbone of most enterprise security organizations, many roles—including thousands of unfilled cybersecurity jobs—are more vocational in nature. Students completing cybersecurity training in vocational schools can immerse themselves just as deeply in their field while completing their training and entering the workforce within two years or less.
Vocational training can have a transformative and vital impact for addressing the cybersecurity skills shortage. Established professionals in the field should foster this trend by identifying roles in their organization that can be filled by job-seekers who have received this type of education, then adapting their hiring practices accordingly. Going further, they can also partner with cybersecurity-focused vocational training and education programs to ensure that students are receiving the most-needed skills. In this way, they can provide new career paths for a broader range of individuals while helping develop desperately needed talent to properly defend our digital ecosystem.
In our next blog, we'll look at the findings of the JupiterOne 2022 State of Cyber Assets Report on the security demands of today's dynamic network architecture.