By Jake Milstein, Critical Insight
We all know people who have left their jobs in the past year. They might be friends, family, coworkers, or even the person reading this article. The Harvard Business Review calls it “a tidal wave of resignations.” In July 2021 alone,
4 million American quit their jobs, resulting in a record-breaking 10.9 million open jobs at the end of that month.
No matter the various reasons for people leaving their jobs, the organizations they depart, big and small, are left with holes. When an employee leaves, they don’t just take with them the functions of the job; they also take the institutional knowledge
they accrued, as well as the investments made in their training and development. And some of that loss is the only institutional cybersecurity knowledge of the organization.
To take a few area examples, I know of a hospital that has a cybersecurity team of 30 people—or at least, they have 30 slots on their team. Last I heard, they had 20 open positions coming into fall 2021. Another hospital had its CISO leave. An IT
director for a somewhat rural city left, and finding a replacement is now estimated to take six to nine months. The IT manager for a port had an employee quit at the beginning of the pandemic and has been looking for a security analyst for more than
a year, but they keep losing candidates to higher salaries at bigger agencies and organizations.
The cybersecurity talent gap
Even before the pandemic, knowledgeable security personnel were not plentiful. In 2017, articles with titles like “Cybersecurity has a serious talent shortage” were predicting 1.5 million unfilled positions by 2020. In the wake of the pandemic
and Great Resignation, the actual shortfall is now much worse. The Biden administration is trying to do something about it, but the wave of job-changing is not letting up.
When the IT and security folks (sometimes that’s the same person) leave their jobs, it creates gaps in security operational tasks. Here’s a real-world example: An IT director was diligent about implementing patches on a monthly schedule. They
would take down the appropriate assets on the network late at night and do the patching they needed to do. But then that person left. The organization knows it needs to do the patching, but who will do it? And can they get away with patching less
regularly? (Hint: The answer is no.)
The bad guys know
The criminals are onto us, of course. They know about the skills gap, they know about the talent gap, and they know people are leaving their jobs. And they are taking advantage of it. Criminals are watching patches get released and then going out to attack
organizations that don’t apply the patches quickly.
For the non-IT folks, here’s an analogy: Let’s say there’s a lock on your front door, and the manufacturer recalls it because you can open it with a blank key. But you ignore the recall notice or just don’t get around to replacing
the lock. A criminal who has seen the recall notice walks your neighborhood looking for that lock. They spot yours and know they can use the blank key to open your door.
It used to be that criminals didn’t go after vulnerabilities quickly. That changed, and now some patching needs to be done urgently (for more, see “Patch Game,” at left). But without the staff to do the work, who does it?
Patching is just one thing that doesn’t get done when there’s a dearth of security personnel. Other things that fall by the wayside include audits, employee security training, upgrading defenses, monitoring for attacks and attackers in the
system, and updating preparedness documents. One organization had a well-documented call tree of whom to alert in case of a cyberattack, but half the people on the call tree had left the organization.
The consequences
You know the consequences of bad cybersecurity hygiene. Even organizations with good security postures have fallen victim to ransomware attacks. The year 2020 saw 304 million ransomware attacks worldwide, which was a rise of 62 percent year over year.
The solutions
Organizations that had decided to do all of their cybersecurity in-house are now facing the new reality that they can’t find the employees. Others that never had big staffs are recognizing the need for better security. For both types of organizations,
they can choose two paths: automation or outsourcing. There’s a plethora of companies that promise to fix cybersecurity problems with software alone, and they certainly can help. But someone must be watching the alerts on that software, so the
talent gap potentially remains.
Other organizations are looking to outsource their people problem with a partner to whom they can hand off 24/7 monitoring, get help with vulnerability scanning, and get help with incident preparedness. Especially until the Great Resignation trend works
itself out, turning to managed and professional cybersecurity service firms can help reliably fill those gaps and improve outcomes.
Jake Milstein is the chief marketing officer at Critical Insight, a Bremerton-based information security company that provides systems assessments, vulnerability testing, planning, regulatory compliance, and other IT and cybersecurity services.
For more information: criticalinsight.com
Patch game
Software updates are one of the most critical IT functions that can get lost without adequate cybersecurity staffing, as explained by Fred Langston, a Seattle security expert with Critical Insight:
“Because the bad actors know that most organizations do not patch faster than 30 days, and a huge number do not patch well at all, it’s open season for the nation- states and their criminal advanced persistent threat (APT) groups to literally
lay waste to wide swaths of industry and government.
Our current approach to address these threats is failing in epic fashion right before our eyes. IT and security operations must adopt the concept of an incipient security event that requires a Level 1 incident response. The inconvenience of an Exchange
outage over a weekend due to a patch is insignificant in cost and impact when compared to a cyberattack on that same Exchange server that takes down every system on your network.”