Week over week, a new threat against valuable data emerges. Sometimes, adversaries in cybersecurity find ways to infiltrate systems through advanced malware strains. Other times, they’ll find holes in an organization’s infrastructure, which have been accidentally created by a well-intentioned employee. Both occur all too often, but the latter is actually tied to another threat facing the cybersecurity industry – the skills shortage.
Mind the gap
The skills shortage is a term those in the industry all are too familiar with. While agile and powerful threats are on the rise, the amount of talented cybersecurity professionals is not – leaving a gaping hole in security strategy that existing employees just can’t fill. In fact, according to McAfee’s recent study Winning the Game, IT leaders report needing to increase their security staff by 24% to adequately manage their organization’s cyberthreats. The absence of adequately trained professionals can leave holes in many aspects of modern-day security infrastructure, with one of the widest specifically involving cloud security.
A clouded education
The cloud is a nuanced area in technology and securely managing it requires specific knowledge – which is why it feels the effects of the skills shortage two-fold. In fact, according to our recent report Navigating a Cloudy Sky: Practical Guidance and the State of Cloud Security, more than 25% of organizations using infrastructure as a service (IaaS) or software as a service (SaaS) have experienced data theft from their hosted infrastructure or applications. Furthermore, one in five were infiltrated by advanced attackers targeting their public cloud infrastructures. All too often these attacks originate from user misconfigurations, a lack of updates, or a selection of the wrong technology.
Put two and two together, and these breaches make one thing apparent: organizations are not only lacking cybersecurity talent, but sufficient cloud security talent, which ultimately puts them more at risk of an attack. Mind you, this talent gap is also delaying enterprise migration to cloud computing.
Security skills vs. cloud security skills
However, it’s important to note that the list of skills required for successful cloud security isn’t precisely a carbon copy of what many expect from a cybersecurity professional. Plugging one gap will not always fill the other.
Of course, general security skills – such as incident response, data analysis, and threat hunting –are still crucial when it comes to securing the cloud. But they’re not entirely sufficient. For instance, cloud security professionals and architects need to come to the table with a deep knowledge of identity access management (IAM), deployment automation, and cloud regulatory compliance.
But just like cloud security is a shared responsibility between vendor and customer, so is the cloud security skills shortage between the cybersecurity industry and future professionals. While we must hope that professionals pursue the right training, the cybersecurity industry must also do its part in educating both future candidates and current employees on the ins and outs of modern-day cloud security. And this doesn’t just mean teaching the correct configurations for AWS either, but rather helping these professionals learn about the tenets of cloud adoption, including costs, monitoring, potential barriers, and more.
To plug your cloud security skills gap, the answer is not to hire quickly, but rather hire and train strategically. Evaluate what security issues your cloud infrastructure has faced and map those issues back to the applicable skills needed to address them. From there, securing IaaS and SaaS solutions shouldn’t seem so cloudy to your IT team.