How SMEs can bridge the cybersecurity skills gap

By Brian Martin, below, Head of Product, Strategy and Innovation, Integrity360

It seems we’re finally starting to see signs of growth in digital skills materialising. According to the (ISC)² 2022 Cybersecurity Workforce Study, the size of the cybersecurity workforce reached an all-time high of 4.7 million in 2022. However, the very same report suggests that there was still a shortage of 3.4 million security professional last year, up 26% from the figures recorded in 2021.

The crux of the problem is simple: Yes, the global cybersecurity workforce is growing, but so too is the gap in the number of professionals required to combat an ever-evolving threat landscape.

This remains a major issue. Indeed, the Fortinet 2022 Cybersecurity skills gap report suggests that a shortage in expertise was a contributing factor in approximately 80% of all breaches suffered by organisations during the pandemic period. Unfortunately, it is SMEs that are experiencing the worst effects of the security skills crisis.

The competition for cyber talent is fierce, with qualified specialists able to command beefy salaries – demands that smaller organisations with more constrained budgets simply can’t meet.

Resultantly, many business leaders are left to attempt to make sense of cybersecurity themselves. Yet with so many solutions on the market, and so much conflicting advice, this can be an incredibly daunting and confusing task.

Often, the instinct in this scenario is opting to make security tomorrow’s problem. However, it is critical that SMEs address their cyber shortcomings as a priority now more than ever before. According to IBM, the global average cost of a data breach was $4.35 million in 2022 – a figure large enough to decimate even the most financially savvy SMEs in one fell swoop. Indeed, for many SMEs, a successful breach or ransomware attack can be an existential threat to their business.

So, how exactly should SMEs with limited resources and knowledge be looking to bridge the cybersecurity skills gap, and better protect themselves in the face of an increasingly volatile threat landscape?

Here, we look at four points to get things started.

  1. Looking at cyber resources through a new lens
    With more than three million unfilled cybersecurity roles, it can be difficult for smaller firms to attract and retain leading security talent. It is therefore wise to take innovative approaches and look beyond the traditional model of what constituted a cybersecurity resource. Not all security professionals need to have the same skills profile – some might be more technical, while others are more collaborative and communicative. For this reason, SMEs may seek to tackle the current talent crisis by training up their own employees with readily transferable skills. We also need to ensure we are aware of and compensate for conscious and unconscious biases in terms of age, gender, and background when considering candidates for cybersecurity roles.
  1. Tapping into technology
    It’s easy for any individual to become overwhelmed by security operations. Today, many industry professionals are plagued by an endless stream of alerts that need to be reviewed individually to ensure a breach hasn’t occurred. SMEs should look to embrace those technologies capable of automatically addressing repetitive tasks. With the right level of automation, organisations can prioritise threats and even handle some cyber-attacks automatically. Tuning is also a key ongoing activity to avoid unnecessary repetitive effort. These approaches can be a way of bridging the skills gap, serving to reduce response times while minimising the need for manual intervention.
  2. Striking the balance between human and machine
    While automated technologies are undoubtedly important, they cannot work alone. Software solutions can only detect so much, and when incidents are detected, humans are still required for detailed investigations to take place. In addition, there’s still very much a role for proactive human led threat hunting, where analysts use their skills to detect threats that bypass traditional detection mechanism. SMEs must therefore work to balance any technology investments with an enhancing of the security skillsets within their organisations. Indeed, both are important.
  1. Consider outsourcing
    For SMEs struggling to fill their cybersecurity gaps, it might make sense to outsource security to a Managed Security Service Provider (MSSP) or to utilise a Managed Detection and Response (MDR) service. These can be a cost effective and flexible option, enabling businesses to scale at pace with confidence in the knowledge that they are protected from cyber threats. SMEs don’t have to purchase a full expensive set of standalone software or tools due to an MSSP or MDR provider having access to the latest technology already. Some MDR providers can also layer their service on top of existing platforms, avoiding the need to jettison previous investments. Additionally, service providers can afford to invest in continually enhancing the security they offer due to economies of scale in delivering services to many customers.