How the Cybersecurity Skills Shortage Affects Your Business
The tech skills shortage is nothing new, but the impact that it is having on businesses of all sizes has never been clearer.
The necessity for even small organizations today to have a strong tech stack for their business processes and a secure security stack for their data and information means that the effects of the cybersecurity skills shortage are hitting SMBs with more frequency than ever.
In short, everyone needs tech security expertise, but such is the demand that many businesses simply can’t afford it for all their needs.
The Skills Shortage Before the Pandemic
The skills shortage in tech has been brewing for a number of years—you only have to go back to 2017 to see how businesses felt about the situation then, with three-quarters of organizations at the time seeing no change or a worsening skills gap in tech (see graphic below).
This has provided a primary obstacle to many companies in hiring candidates for their technology and IT needs.
Changes Since the Pandemic
Many of the changes in how organizations approach topics like technological maturity and cybersecurity have been brought forward by the pandemic and exacerbated existing issues that were affecting the talent shortage in any case.
During 2020 when lockdowns became widespread, businesses lacking the necessary tech to, for example, provide the appropriate resources for a fully remote workforce, had to shift quickly and adopt the talent and solutions in order to do so.
This affected virtually every line of business, whether it’s sales, marketing, product/service development—every aspect of a business’ processes suddenly needed a baseline tech capability to remain effective at their operations.
Related Webinar: Overcoming the Talent Shortage | Modern Business Requirements
Considerations for Tech Solutions
It was during this period that many businesses looked at what they must cut to stay solvent, but also what they must invest in for the same reason—there’s very little point in reducing spend to keep a company afloat if it’s going to suffer a costly data breach and suffer worse financial damage in the event.
So, where have these investments been heading? If we take a look at Microsoft’s data from August 2020, we can see that the top five investments from the beginning of the pandemic as far as security is concerned are:
- Multifactor authentication (MFA) – 20%
- Endpoint device protections – 17%
- Anti-phishing tools – 16%
- VPN – 14%
- End-user security education – 12%
Many of these solutions, particularly endpoint protection, VPNs, and other security tools, require the expertise of a cybersecurity professional in order to maintain them.
Take endpoint protection, for example. It’s common for member of the cybersecurity staff to manage the protection of endpoints through a cloud platform, like Cisco Meraki (which Impact uses with clients).
Provisioning, securing, and maintaining devices, especially with workforces that are spread over multiple offices or not operating under a single network, is not easy and requires some kind of oversight.
When you factor in all the other aspects of information and business security, like compliance for example, it’s not hard to see why hiring a security staff in addition to existing IT staff is not feasible for many organizations.
Most businesses are aware that they need to increase their cybersecurity spending, and indeed many of them are doing just that, often at the expense of their broader IT budgets.
Kaspersky reports that while IT budgets have remained stagnant between 2018 and 2020, security budgets have typically increased in the 11-15% range—indicating a clear proclivity to favor security initiatives over IT projects, even if at the expense of IT in general.
The total market for cybersecurity was worth $3.5 billion in 2004. In 2017 it was estimated at $120 billion and by 2022 is expected to reach $170 billion.
As a result of this budgeting, the majority of SMBs are dealing with a cybersecurity budget of around $275K, compared to around $14 million for enterprise businesses.
What this adds up to is an almost impossible task for small- and medium-sized organizations.
Consider some cybersecurity positions and their average salaries:
- Information Security Manager: $125,000 – $215,000
- Cybersecurity Engineer: $120,000 – $200,000
- Application Security Engineer: $120,000 – $180,000
- Cybersecurity Analyst: $90,000 – $160,000
- Penetration Tester: $80,000 – $130,000
- Network Security Engineer: $125,000 – $185,000
- Healthcare Corporate Compliance Officer: $120,000
In the current environment, cybersecurity positions are in high demand and command high wages, a barrier that is simply too difficult to navigate for many.
If we take that average budget of around $275K that a lot of businesses have for their cybersecurity, it’s apparent that it will dry up very quickly just on talent alone—and that’s without paying even a cent on the tech solutions.
This has led to businesses showing a reluctance to hire new cybersecurity employees or indeed a security team—this is in line with commonly-held reservations, with around 54% of business leaders concerned about cybersecurity personnel spend.
How Do Businesses Respond to This?
Contradictory things are in play here—businesses must balance their budgets while spending more on cybersecurity to protect themselves.
The question for many then is the simple question of what to do? For many, the answer has been to outsource their security needs to a third party.
An MSSP is a managed security service provider. The concept is no different to any other managed service—the MSSP provides the resources (tech and personnel) and the client business enters into a service contract with the MSSP.
Quality MSSPs will offer a monthly fixed-fee contract for their clients, so they’re not hit with any unexpected bills.
The market for managed security services has grown by a significant amount over the course of the last few years, from $32 billion in 2020 to an anticipated $46 billion by 2025, a compound annual growth rate (CAGR) of 8%.
Hiring an MSSP for cybersecurity allows the business to take advantage of the expertise and tools the MSSP has, without breaking the bank by building out an entire cybersecurity team internally.
Of course, an in-house team will always know a business best, which is why it’s important for businesses to consider what kind of MSSP is desirable for their particular organization—not all service providers are created equally.
The increased risk of businesses becoming a victim of cybercrime has created a strong demand for cybersecurity professionals and services.
This has in turn placed pressure on organizations to find room in their budgets to accommodate a security program, but for the majority it’s simply too difficult to do so.
Companies must elect to either ignore the threat of cybercrime and bury their heads in the sand (which a not-insignificant amount of businesses are actually doing) or find another way to build a defense strategy.
MSSPs as an alternative are providing organizations the opportunity to invest in their cybersecurity while remaining on a budget, and is a large part of the reason the managed security services industry has taken off in a big way in recent years.
Businesses that are concerned about the state of their cybersecurity defense should be realistic about the threat of cybercrime but also realistic about their budget.
The cybersecurity shortage, though improvements have been seen in the last year, remains an issue for companies hiring security talent and an issue that affects many businesses today looking to protect their data and processes.
These organizations should strongly consider a managed security service provider in order to meet their needs on a budget, as it’s unlikely the cybersecurity skills shortage will alleviate to the necessary extent to be affordable for SMBs anytime soon.
Learn more about what a complete cybersecurity strategy involves and how an MSSP meets those needs in our eBook, What Makes a Good Cybersecurity Defense for a Modern SMB?