As the number of attacks on enterprise systems continues to rise, you might think that recruitment of cybersecurity professionals was also rising. In normal circumstances that would indeed be the case, but recent research published in the fifth annual global study of cybersecurity professionals by the Information Systems Security Association (ISSA) and industry analyst firm Enterprise Strategy Group (ESG) indicates the there is a major crisis in the cybersecurity industry.
Filling Security Professional Vacancies
While the solution to these kinds of crisis is to train more people across the enterprise, the reality is that many organizations are finding it impossible to fill these posts. In fact, according to the research, the cybersecurity skills crisis continues on a downward, multi-year trend of bad to worse and has impacted more than half (57%) of organizations.
The Life and Times of Cybersecurity Professionals 2021 report surveyed 489 cybersecurity professionals and reveals that the crisis is taking on a number of different nuances that organizations are finding difficult to manage. Among the more striking findings are:
- An increasing workload for the cybersecurity team (62%)
- Unfilled open job requisitions (38%)
- High burnout among staff (38%).
Furthermore 95% of respondents state the cybersecurity skills shortage and its associated impacts have not improved over the past few years and 44% say it has only gotten worse.
Notably, the three most-often cited areas of significant security skills shortages include cloud computing security, security analysis and investigations, and application security. For many organizations with their dependency on cloud computing, the news is worrying. It also raises the question as to how secure their cloud deployments are and even whether they can trust the cloud at all.
Related Articles: Why Enterprises Are Bringing Their Workloads to Multi-Cloud Environments
Remote Work And The Cloud
This is particularly true with the explosion in remote working. More remote working means greater usage of cloud applications, which has led to increased demand for cybersecurity professionals with skills in cloud computing security, according to Pieter VanIperen of New York City-based PWV Consultants, told us. A significant number of organizations are struggling to find the people to fill these gaps.
There has been a known shortage of software developers in the technology industry for some time, security is no exception. He said that there are currently about five jobs for every one developer (roughly), so the inability of companies to find cloud computing security pros isn’t all about knowledge. Much of the problem is around a simple lack of people rather than what people know. Even so, cloud computing is still more secure than traditional methods.
Cloud service providers, he adds, ensure that storage systems are backed up thoroughly so that nothing gets lost, even in the event of a breach. They also have dedicated specialists who can walk businesses through how to use the cybersecurity services they offer. “So, yes, cloud computing is still safe. Businesses should make sure they understand the security risks they assume versus what falls under the umbrella of the cloud provider so that proper adjustments can be made, but every business should be utilizing the cloud,” he said. Technology is eating the world, digital transformation trends force businesses into the cloud to stay competitive, and while it can be difficult to find developers to keep in-house, there are always experts who can be called upon for assistance.
Related Article: Take Your Cloud Strategy Into the Future
You Can’t Avoid The Cloud
However, the shortage of technicians is not a problem that is going to be solved overnight, Daniel Cohen, VP of Cloud Services at Sunnyvale, CA-based Radware, added. He says that avoiding cloud technologies is not the solution. Today’s enterprises require 24×7, always-on digital access to either connect to their workforce or end-customers.
To help bridge the gap, organizations need to ensure that there is not only more advanced education and upskilling for our security teams, but also more security awareness training for all employees. Security is everyone’s responsibility in our anytime anywhere workplace.
Cybersecurity firms also have a major role to play in managing the shortage. By delivering solutions that leverage advanced technologies, such as machine learning and automation for increased productivity, they can help keep organizations protected even with a dwindling cybersecurity team,” he added.
Cloud Security Vs. Cybersecurity
So, what exactly is needed to keep your cloud deployments safe? The skill sets for cloud security professionals are different from those of other cybersecurity skills in two areas, Terumi Laskowsky, a cybersecurity instructor at Denver, Colo.-based DevelopIntelligence, said.
1. Shared Responsibility Model
First, the shared responsibility model for security points to how two parties share the security responsibility for the cloud-based systems: The Cloud Service Provider (CSP) and the Cloud Service Consumer (i.e., the cloud customer).
Think of the CSP as an outsourcer. The CSPs offer their physical infrastructure (i.e., datacenter, servers, network, storage, etc.) and other services to the consumer. The consumer uses them to migrate their existing systems, create new ones and upload their data. Each party (CSP and CSC) is responsible for security for their respective areas of responsibility. But the CSC has ultimate responsibility for ensuring safety of organizational data and systems.
A CSC cloud security professional must be able to vet the security of CSPs, while also managing risk and designing, implementing and managing organizational security controls.
2. Physical vs. Logical Resources
When a company moves into the cloud, the first thing that goes away is the physical servers, networks and storage. Of course, the physical equipment still exists, but they are owned and managed by the CSPs. For the CSC cloud security professionals, almost all the things they manage will be virtual — virtual servers, software-defined networks, virtual storage systems, containers, managed services, serverless offerings and the list goes on.
The physical is “abstracted away” from the CSC. For example, virtual machines (VMs) abstract the physical infrastructure, containers abstract the operating system and serverless services abstract the runtime engines. The skill sets required to work with the abstracted services are quite different from working with the physical. They may act and look the same, but they are different and often more complex under the hood. In general, as complexity increases, the likelihood of vulnerabilities also increases.
Vulnerabilities arise from assuming that the CSPs are responsible for certain security aspects when they are not. The CSPs will not stop you from creating vulnerable systems. They can only offer advice.
This also is related to consumers exposing sensitive data in the cloud, such as PII (Personally Identifiable Information) and other secrets. CSPs are not going to stop you from doing that because the data is the responsibility of the cloud consumer. Working with virtual environments requires investment in learning the technology and understanding the differences compared to the physical. Since separating networks provide a level of isolation (i.e., security), and routers provide security controls when connecting them, the security professional must learn how to implement security using a different technology.
“If an organization does not have enough trained cloud security professionals, all the issues mentioned above go without being addressed properly,” he said. “Among the issues mentioned above, the lack of visibility related to the shared responsibility model for security can cause issues for the security professionals.”
Infrastructure and Data Security
There are two other issues that need to be considered too. Scott Caschette is chief information officer of Tampa, FL-based Schellman & Company, notably cloud infrastructure security and the other cloud data security.
As the remote workforce has become larger, more diverse and decentralized so has your corporate data. Long gone are the days of IT providing applications and data to a sedentary group of people within the confines of a physical building and 8-5 schedules. With the explosion of cloud computing, SaaS platforms, mobile devices and portability, your data is everywhere. Like it or not, your users demand it. Therefore, referring to our earlier hemispheres, data security has become less secure by the nature of organic growth.
“Security positions in the enterprise can help drive tools, visibility and risk management but once it leaves your border no amount of security skills is going to help,” he said. “Like water, data wants to be free and will find the path of least resistance and for many, has. Administrators, security engineers and application developers struggle to stay ahead of the curve when it comes to keeping corporate data safe.” Training, hygiene, DLP, disk encryption, MFA and anti-malware are a good start but should be considered table-stakes at this point.
On the other hand, he added, “When we talk about infrastructure, corporate data centers and proprietary networks I think we would be foolish to think that a small team of daytime FTEs can compete with the budgets, skills and quantity of large cloud platforms and SaaS companies. Further with efficiencies of scale these platforms have tools that can automate much of the inherent risk right out of the tenant.