Growing Security Skills Gap Calls for a New Approach to Training

by

As the scope of the cyber hygiene challenge outpaces the expert resources available, security teams are losing ground in the effort to protect their organization. The security skills gap is hardly a recent development; open job requisitions and soaring salaries have been the bane of enterprise security for many years. But with no relief in sight, it's clear that traditional approaches to security talent just aren't working and cybersecurity training needs to be reexamined. It's time to try something different.

In our last blog on the findings of the JupiterOne 2022 State of Cyber Assets Report, we examined the proliferation of cyber assets and its implications for the ever-expanding enterprise attack surface. Now, in the second part of our five-part series, we'll focus on the human element of the crisis: the outdated cybersecurity training models that leave security teams chronically understaffed, overwhelmed, and struggling to meet their responsibilities.

Cybersecurity training has fallen behind reality

JupiterOne's analysis of over 370 million cyber assets, policies, and findings at nearly 1,300 organizations reveals a wide and growing divide between security responsibilities and skills.

Today, many cybersecurity degree programs and certifications remain focused on legacy IT technologies such as physical endpoints such as laptops and smartphones, premises-based networking, and other mainstays of yesteryear. How well does this align with the actual environments in which these professionals will work? Consider that:

  • Nearly 90 percent of devices in the modern organization are cloud-based
  • Physical devices such as laptops, tablets, smartphones, routers, and IoT hardware represent less than 10 percent of total devices
  • Cloud networks outnumber physical networks by a ratio of nearly 60:1

Devices are still an important part of cybersecurity; after all, there are 110 devices for every employee at the average organization, while the average security team is responsible for 32,190 devices. But what about the security needs of the cloud-native, serverless architectures of the modern enterprise?

Security professionals need to close the cloud security skills gap

In the old days, security and IT teams worked together more closely—at least in physical terms. When IT deployed a new physical asset like a laptop, it was relatively easy for IT to make sure essential security measures were being implemented. In a cloud-native world, this isn't nearly as simple. Few security professionals have the cloud security expertise to provide the right guidance. And even if they do advise an engineer to turn on encryption in the cloud or set up alerts for data exfiltration, they lack the authority to make it an order—and time-pressed engineers have little incentive to slow deployment for the sake of security.

Cloud policy has also failed to keep pace with cloud risks. JupiterOne's analysis of 10,598,506 security policies found that over 99 percent of policy enforcement is automated, consisting of configurations, rulesets, and technical procedures. Yet even with this laudable progress toward automation, cloud policies represent less than 30 percent of total guardrails—and cloud assets still generate over 97 percent of security findings. It's no wonder that, according to analysts, at least 99 percent of cloud security failures in 2022 and 2023 will result from cloud resource misconfiguration.

It's clear that the rush to the cloud has proceeded more quickly than the maturation of cloud security, and the security skills gap has continued to widen. Organizations have yet to figure out what secure-by-design means in the cloud, understand the full picture of their evolving security risks, or determine what policies should be applied across cloud assets.

Closing the security skills gap and expanding the cybersecurity talent pipeline

Of the 32,190 devices in the average organization, 28,872 are cloud hosts. This cloud-heavy mix calls for new cloud-focused approaches to cybersecurity training and upskilling. At the same time, the industry needs to vastly expand the talent pipeline—and that means looking beyond college degree programs.

While bachelors and masters degree holders are the backbone of most enterprise security organizations, many roles—including thousands of unfilled cybersecurity jobs—are more vocational in nature. Students completing cybersecurity training in vocational schools can immerse themselves just as deeply in their field while completing their training and entering the workforce within two years or less.

Vocational training can have a transformative and vital impact for addressing the cybersecurity skills shortage. Established professionals in the field should foster this trend by identifying roles in their organization that can be filled by job-seekers who have received this type of education, then adapting their hiring practices accordingly. Going further, they can also partner with cybersecurity-focused vocational training and education programs to ensure that students are receiving the most-needed skills. In this way, they can provide new career paths for a broader range of individuals while helping develop desperately needed talent to properly defend our digital ecosystem.

In our next blog, we'll look at the findings of the JupiterOne 2022 State of Cyber Assets Report on the security demands of today's dynamic network architecture.

Jasmine Henry
Jasmine Henry

Jasmine Henry is a security practitioner who's used JupiterOne to create a compliant security function at a cloud-native startup. She has 10 years of experience leading security programs, an MS in Informatics and Analytics, and a commitment to mentoring rising security practitioners from underrepresented backgrounds. Jasmine is a Career Village co-organizer for The Diana Initiative security conference. She lives in the Capitol Hill neighborhood of Seattle, WA.

Keep Reading

Proactive IAM Security: Transforming Identity Security with Actionable Insights | Okta Integration with JupiterOne
December 19, 2024
Blog
Unlocking Proactive Security: How Okta and JupiterOne Elevate IAM Insights

Unlock proactive IAM security with Okta and JupiterOne, gaining real-time insights, enforcing least privilege, and reducing risks in dynamic cloud environments.

Transitioning from Vulnerability Management to Exposure Management | JupiterOne
December 13, 2024
Blog
Transitioning from Vulnerability Management to Exposure Management with JupiterOne

Explore Gartner's latest report on Exposure Management and learn how your organization can prioritize vulnerabilities and minimize exposures.

The Ultimate CAASM Guide for 2025 | JupiterOne
November 20, 2024
Blog
The Ultimate CAASM Guide for 2025

Discover how Cyber Asset Attack Surface Management (CAASM) is providing enhanced visibility of internal and external assets in 2025.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.