Today, tech companies have their work cut out as they face an ever-growing list of significant challenges. From dealing with an increasingly dangerous cyber threat landscape, a widening skills gap, taking cloud and service-based IT to the next level, to everything in between, it’s no easy task.
Today’s challenges facing security companies can look daunting to both startups and seasoned software providers alike. However, it’s not all doom and gloom. Developing an in-depth understanding of these challenges is critical to staying ahead of the competition in the digital age. Moreover, it provides excellent opportunities for growth and market disruption if you know where to strike.
With this in mind, let’s look at the issues software providers are staring down today and how to best overcome them in a fiercely competitive market. Let’s get into it!
A Rising Cyber Security Threat
The state of the current cyber threat landscape is enough to make even the bravest among us go pale.
As companies expand their digital footprints and embrace new technologies, their cyber-attack surface widens. With more applications, code, servers, ports, and websites, there are more points of access for malicious actors. And that’s just the possible attack points companies are already aware of – shadow IT is becoming a greater issue too. Shadow IT is all the devices and applications employees use without the explicit approval of IT.
Simultaneously, cybercriminals are becoming more sophisticated than ever before and increasingly leveraging easy to access hacking tools. For example, Ransomware-as-a-service (RaaS) is becoming a significant threat to global cyber security as it grows in popularity. RaaS is a subscription-based model that allows cybercriminals to use out-of-the-box ransomware tools to execute attacks. Users pay an ongoing fee, and the RaaS provider gets a cut of each successful ransom payment after an attack. And sadly, it’s a thriving business model. A recent study found that two out of three ransomware attacks today are facilitated by RaaS[1].
We live in a world where global cybercrime costs are expected to grow 15% per year, reaching $10.5 trillion by 2025[2]. Moreover, cyber-attacks were up 50% in 2021 compared to 2020[3], and the situation doesn’t look to be improving for 2022.
Finally, and critically, while cyber security-focused software companies play a crucial role in engineering the next generation of robust and secure products, they’re at risk just like everyone else. A new study from Positive Technologies found that cybercriminals can penetrate 93% of company networks[4]. IT companies, among others, were a focus of this study.
This brings us to the next section, the worrying IT skills gap.
Talent Shortages and Widening Skill Gap
While the demand for all types of technology, including devices and software, remains high, skilled IT workers are increasingly difficult to find and keep. And while this is true for tech positions in general, it’s especially concerning in cyber security. This is because digital infrastructure supports almost every aspect of our daily lives, and cyberattacks can have disastrous consequences for citizens, businesses and governments.
And this talent shortage has a significant impact on companies’ ability to innovate. According to Gartner, the talent shortage is the most significant barrier to the adoption of 64% of new technologies[5]. Moreover, it has a very real financial cost. According to one study, skill shortage could cost companies worldwide $8.5 trillion in unrealised annual revenues by 2030[6].
But just how dire is the cyber security skills shortage? According to a 2021 report, the global cyber security workforce gap stood at 2.72 million last year[7]. And while this was down from 3.12 million in 2020, researchers still estimate that the global cyber security workforce needs to grow 65% to safeguard organisations’ critical assets effectively[8].
Various factors are at play in why the information security industry is facing talent shortages and a widening skills gap:
- An increasingly demanding skillset: Today, cyber security professionals need to have a vast range of skills, and the list is growing every year. Companies increasingly want workers to have computer science, engineering, and other technical skills in addition to traditional cyber security skills.
- Cyber professionals are stressed: Stress is an industry epidemic in cyber security. For example, 37% of UK-based cyber security workers report feeling highly stressed, and 42% of UK security leaders said they would be unlikely to recommend a job in the field[9].
- It can be a thankless job: We typically only hear about cyber security teams when something goes wrong (a successful breach). When they successfully defend the network, nothing is said. Championing success stories could be the key to boosting morale in cyber security teams.
- Attitudes to cyber security: While companies recognise that cyber security is essential, they often have negative attitudes towards it. For example, they might believe it stifles innovation, or that security teams are heavy-handed in restricting access to files and applications.
Cyber security automation could potentially address the skills shortage, but it comes with a catch. To create the necessary automated tools, cyber security teams will first have to recruit professionals with sufficient automation skills to build and run the processes. And here we’re left with the same problem – finding the right talent.
How Do We Bridge the Cyber Security Skills Gap?
Recruiting Potential and Going Wide
While technical and engineering skills might be desirable, they’re not vital for a role in cybersecurity. Instead, companies should consider hiring candidates with valuable soft skills like problem-solving, attention to detail, communication, and creativity. With cyber-attacks becoming increasingly complex, creativity will be paramount in combating them.
In simple words, in-house recruitment teams need to rethink their understanding of who fits in a cyber security role. Employing candidates with a varying skill set (not just technical) introduces more diversity of thought into the workplace. And diversity of thought is critical in understanding your enemy and anticipating where they might strike. For example, some people have argued that the CIA’s failure to spot the warning signs of 9/11 was due to a lack of diversity within the CIA[10] – homogeneity doesn’t work in intelligence (or cyber security) because we all have blind spots and gaps in our understanding. And when you have a homogeneous team, you duplicate those blind spots.
Hunting for the Best Talent
With enterprises more vulnerable to cyber attacks than ever before, they need to start thinking outside the box regarding recruitment. This means knowing where to look instead of relying on finding talent locally. For example, companies could scout for talent at hackathons or similar competitions that bring together the most brilliant hacking minds. Similarly, they should work with reputable recruitment houses that know how to hunt the best cyber security talent.
Combatting Job Stress
This one is a little harder to solve but is critical nonetheless. Many people considering careers in cyber security might be worried that the benefits don’t outweigh the stress of the job. To combat this, companies need to celebrate cyber security teams’ successes and create a culture of belonging. The security team should feel just as crucial to the company’s success as any other team. Additionally, companies should consider strengthening their benefits package with flexible work options and other attractive benefits.
Lack of Skilled In-House DevSecOps Engineers
Companies are under enormous pressure to deliver innovative products to tight release schedules. But as timelines tighten and software complexity rises, the potential for vulnerabilities shoots up. To overcome these challenges, companies are increasingly adopting the DevSecOps model. Integrating security as a shared responsibility throughout the software lifecycle has proven to successfully create more robust software products.
However, despite the rising interest in embedding DevSecOps practices into development teams, many organisations struggle to bring this idea to fruition. For many companies, DevSecOps is still a relatively new concept, and as a result, they lack the in-house talent to move in this direction. Additionally, negative attitudes towards cyber security (as a team of people who like the word “no”) can often impede progress and further solidify silos.
Trust in New Open Source Tech and Cloud-Native Security Tools
Companies are increasingly opting for open source over proprietary software, and with good reason. Open source technology promises decreased costs, increased performance, and boosted security.
According to a study by OpenUK, a not for profit open technology advocacy body, a whopping 89% of respondents run open-source software internally in their business, and 65% contribute to open source projects. Furthermore, 49% of companies surveyed develop open-source software. And interestingly, small companies seem to be taking the lead in open source software production, with 61% saying they open source their own software and 57% reporting they contribute to external open-source software[11].
With public trust in open source software growing dramatically every year, software providers are under increased pressure to scale up their open-source projects to stay competitive on the national and global stage. At the same time, cyber security teams are increasingly reliant on security APIs and other open-source security tools, including PhishTank API, VirusTotal API, Cloudflare API, Nmap, Wireshark, and Falco, to name a few. As a result of this boom in everything open source, companies need to hire IT and cyber security professionals to further their open-source contributions and work to get the most out of the tools they choose.
In recent years, cloud-native technologies have also seen impressive adoption rates among software teams of all sizes. And one particularly active area is security and compliance tools. Cloud-native security tools focus on securing cloud-based infrastructure, platforms, and applications by building security in from the start of the development process. Similarly, compliance tools are focused on meeting the increasingly stringent demands of data protection regulations.
As we progress through the 2020s, where cloud-based services will continue to dominate, demand for cloud-native security tools will skyrocket. This is something tech startups need to be aware of when designing their next suite of products.
Rising Customer Expectations
Customer expectations are at a record high, and many software companies are struggling to keep up. Not only do customers want increasingly advanced functionality and seamless experiences, but they want it yesterday.
Cyber security is also shaping customer expectations. Today, hardly a day goes without a high-profile data breach hitting the headlines. And even if consumers miss the headline, they’ll experience the impact of cyberattacks in other ways. For example, the price of goods and services often goes up following a successful cyberattack as companies try to recoup the losses.
So, with public awareness of cyber attacks trending upwards, consumers are increasingly concerned about their data privacy. As a result, they’re thinking more carefully about the companies they choose to buy from and what information they feel comfortable sharing. They’re also paying closer attention to companies’ commitment to cyber security or lack thereof.
Unfortunately, companies often only get one chance here – a successful data breach can lead to temporary or even life-long reputational harm. For example, 59% of consumers say they will avoid companies hit by a cyber attack in the last year[12]. Consumers may forever view the company as an entity that can’t be trusted to protect their valuable data or one that isn’t proactive about investing in the right cyber security talent and tools.
Next Steps
The growing list of issues software companies face should cause concern but not alarm. Each year will bring new challenges, and it’s the way we approach these challenges that makes or breaks our success. Or in other words, software providers need to rise to the challenge and tackle these issues head-on. But how?
In an increasingly severe cyber threat landscape, the key to overcoming adversity, achieving your goals, and exceeding customer expectations lies in hunting the right talent. People are the lifeblood of any thriving business, and this is especially true for tech startups where each employee can add an immense amount of value. Valuable employees have valuable skills, and it’s these skills that help fight cybercrime and lead to the next generation of innovative products.
Get in touch today to learn how we can help strengthen your workforce!
References:
[1] https://www.zdnet.com/article/ransomware-as-a-service-is-the-new-big-problem-for-business/
[2] https://cybersecurityventures.com/cybercrime-damage-costs-10-trillion-by-2025/
[3] https://pages.checkpoint.com/cyber-security-report-2022.html
[4] https://betanews.com/2021/12/20/cybercriminals-penetrate-93-percent-of-company-networks/
[5] https://www.gartner.com/en/newsroom/press-releases/2021-09-13-gartner-survey-reveals-talent-shortages-as-biggest-barrier-to-emerging-technologies-adoption
[6] https://www.soocial.com/talent-shortage-statistics/
[7] https://www.isc2.org/-/media/ISC2/Research/2021/ISC2-Cybersecurity-Workforce-Study-2021.ashx
[8] https://www.isc2.org/-/media/ISC2/Research/2021/ISC2-Cybersecurity-Workforce-Study-2021.ashx
[9] https://www.continuitycentral.com/index.php/news/technology/7016-cyber-security-stress-and-burnout-a-growing-risk-for-organizations-to-address-in-2022
[10] https://www.bbc.co.uk/news/world-us-canada-49582852
[11] https://openuk.uk/press-releases-posts/89-of-uk-organisations-run-open-source-according-to-openuk-survey/
[12] https://www.arcserve.com/press-releases/arcserve-research-uncovers-links-between-ransomware-consumer-purchasing-behavior-and-brand-loyalty[/vc_column_text][/vc_column][/vc_row]
