The push to work from home during the coronavirus pandemic is straining cybersecurity professionals around the country tasked with ensuring workers are able to not only work efficiently from remote locations — but to do so safely. This rapid shift is a tall order for an industry that was already in need of skilled professionals long before the pandemic took hold.
Cybersecurity workers were taken off some or all of their typical security duties to assist with other IT-related tasks, including equipping mobile workforces, according to an April survey from global nonprofit (ISC)2, the largest association of certified cybersecurity professionals. The survey of 256 cyber pros found nearly half were re-tasked and that a quarter said cybersecurity incidents increased since the transition to remote work, with some seeing as many as double the number of incidents. Separate data from another nonprofit cybersecurity group, the Information Systems Security Association, found a 63% increase in cyberattacks related to the pandemic, calling Covid a "once-in-a-lifetime opportunity for hackers and online scammers."
"We are outnumbered—the people that are doing bad things, whether it's a nation-state type of activity or cybercrime—the good guys and gals were vastly outnumbered prior to the pandemic," says David Shearer, CEO of (ISC)2. "It has a compounding effect to what was already a challenge... take all of this technology we are becoming more and more reliant on and it's scaling in a massive pace."
The group reported in late 2019 that 2.8 million professionals work in cybersecurity jobs globally, but the industry would need another 4 million trained workers in order to properly defend organizations and close the skills gap. That includes about half a million workers needed in the U.S. to meet demand. A separate survey of more than 300 cybersecurity professionals from ISSA shows that 70% of organizations report being impacted by the worker shortage and 45% of respondents say the cybersecurity skills shortage and its associated impacts have only gotten worse in recent years.
Shearer said to fill the talent gap, more outreach needs to be done to recruit younger workers into the aging workforce, as well as more diverse cybersecurity workers.
"Diversity is a big part of it — women are underrepresented, it's improving. We also here in the United states need to look at other underrepresented minority groups and get them into the fold because it's going to take everyone we can find to be interested in cyber," he said. "As people start to retire, it's only going to exacerbate the fact that it's an undersized cyber workforce."
Jobs can be lucrative in the field as well—(ISC)2′s data finds the average North American salary for cybersecurity professionals is $90,000 a year and those who hold security certifications can make more.
Veracode, a 750-person cybersecurity firm based in Burlington, Massachusetts, is currently looking to staff up for dozens of positions —from programmers to sales people to cybersecurity roles. Covid has accelerated business shifts not only at the company but for many of its clients, says Chris Wysopal, founder and chief technology officer.
"Companies are already dealing with remote workforces that were increasing in size—remote roles were increasing at most places, but then the whole company was remote. And so all of a sudden you had to deal with 'How am I securing all the laptops that are there? How are all those employees getting in all the systems they need to access?'" Wysopal says. "It changed everything really, really quickly and cyber security people had to scramble, essentially, to make sure that that was all done well."
Hiring has become somewhat easier in recent months, Wysopal says, a silver lining in the face of a broader skilled talent shortage in the industry. As the pandemic forced closures and layoffs in all sectors of the economy, more cyber workers have become available and due to the nature of remote work, candidates that are outside of the area have become more appealing.
"There's no more requirement of being local," he says. "I hired someone out of Utah, out of Texas—there are a lot of people around the country that want to work for a Boston-area tech company, and I find in cybersecurity, people like to work remote. And if we allow them to work remote, it's easier to hire them."
As the world becomes ever more reliant on technology, Shearer is hopeful organizations will take lessons from the shift that has rocked the country due to Covid, and plan accordingly in the future.
"There's a lot of similarities between the pandemic and cyber in that it's kind of a virus, it's a bad thing that happens and it impacts people and it impacts their lives," he says. "It doesn't seem to get a lot of attention until something really bad happens, there's a breach or something that costs a company a lot of money or a product or company embarrassment. It remains a challenge."