Skill Shortages Causing Cybersecurity Lag

Joe Stanganelli Managing Editor, TechBeacon

"Cybersecurity teams are struggling to keep up." That's one of the core messages of KPMG's 2022 Global Tech Report.

"Businesses may be more vulnerable to cyberattack than they think, and they may not be doing enough to ensure resilience in the face of evolving threats," reads the report. "Without necessary oversight, new vulnerabilities could enter the system, potentially harming the customer relationship."

Indeed, in KPMG's survey of 1,052 US-based technology executives, 58% of respondents admitted being "behind schedule" when asked, "How would you describe your organization's position today in your cybersecurity journey?"

To make matters worse, this was a binary question. The only other option for the remaining 42% to choose was "We are proactive in progressing against our strategy and are continually evolving." Read closely, this doesn't really mean much of anything; as such, it could mean just about anything—and doesn't inspire much confidence.

Suffice to say, the majority (or, possibly, vast majority) of tech executives acknowledge that they are lagging in their cybersecurity efforts—even though they may be leaving money on the table in the long run by doing so.

"[I]mproving customer experience is the top driver for increased cybersecurity spending," reads the report. "Enterprise cyber teams are trying to resolve a new equation in play: poor cybersecurity = poor customer trust = lost revenue."

Security Versus Accessibility

Where customers are concerned, security is often a thankless—yet blame-filled—endeavor. Elsewhere, KPMG has previously observed that customers take security as both a basic requirement and a hassle.

"The problem is that proactive investments in security rarely move the meter with customers. They see . . . keeping their money and data secure [as] a given," reads a separate, earlier report from KPMG on the future of banking. "They want to rid themselves of two-factor authentications. They want to replace their debit and credit cards with phones and watches. And they want to allow other third parties, of their choosing, to have access to their payment (and even banking) data."

"Oh, is that all?" one might rhetorize. Accessibility and security inherently do not play nice with each other. After all, perfect accessibility means zero security, and vice versa. Organizations have a hard time finding the perfect balance, particularly as they seek to improve both trust and customer experience (CX).

"The digitalization of customer channels is the second-biggest cybersecurity challenge faced by organizations, after the adoption of hybrid working," reads the report. "Traditional cyber investments were significantly driven by regulatory compliance needs and were seen by businesses as necessary overhead. But as businesses become more digital, leaders see that if they don't invest in cyber, they can actually lose customer trust."

Still, compliance concerns add additional problems into the mix; perversely, compliance demands and security demands can sometimes conflict with each other. Little wonder, then, that KPMG found that "security and compliance requirements" were the second-most-reported "top challenge" in organizations' cloud journeys.

The No. 1 cloud challenge is closely related to cybersecurity: "insufficient talent and/or skills."

Accounting for Talent

Cybersecurity has long been associated with talent and skill shortages. In KPMG's survey, talent and skill shortages came up repeatedly as one of the top challenges facing companies. The most frequently cited "major internal challenge" to achieving organizational cybersecurity goals was a "lack of key skills"—indicated by 39% of respondents. Unsurprisingly, 30% of respondents reported that "the need for new cybersecurity skills" was one of their "most influential drivers for increased cybersecurity spending."

The problem extends to enterprises' ability to proactively move forward with digital transformation. When asked what their biggest challenges were for adopting new digital technologies, the plurality of respondents cited talent shortages (44%).

"The number one response—lack of capable talent to carry out key roles—speaks to the extreme competition across industries for people with rare but in-demand skill sets, such as cybersecurity developers," reads the report.

The second-most-cited challenge for adopting new digital tech was closely related: 30% of respondents cited a "lack of skills within our organization to either implement or fully take advantage of new systems." 

Meanwhile, 30% of respondents cited cost concerns as one of their biggest challenges to bringing on new digital tech. The report points out that this factor is related to the talent and skill shortages, however.

"Enterprises will need to overcome budget constraints to attract in-demand talent, meet additional candidate demands, and fill key roles," reads the KPMG report. "Most companies have yet to master the balancing act of budgeting for technology versus other enterprise needs, particularly in the inflationary labor market. In our survey, annual technology budgets are often falling short of what is required to bring skilled employees into the fold to implement and take advantage of new tools, systems, and platforms."

Competition appears to be stiff, too—exacerbating the problem. Last year's Cybersecurity Workforce Study by (ISC)² estimated that, worldwide, there were more than 700,000 workers employed in cybersecurity in 2021 than there had been in 2020. At the same time, (ISC)² reported that its data suggested that "the cybersecurity workforce needs to grow 65% to effectively defend organizations' critical assets."

Despite all of this, however, the cybersecurity talent does seem to be out there—at least, for more modern-thinking organizations. Employers seeking cybersecurity workers have long stood in their own way with outdated hiring practices and a phobia of remote work—despite its ability to allow companies to go beyond the bounds of their local talent markets.

The KPMG report, for its own part, seems to acknowledge that the old ways may indeed not be best for fixing the cybersecurity skills and talent problem.

"Creative approaches are needed for companies to access the skills they need to deliver on digital-transformation goals," reads the report. "With that in mind, businesses should recalibrate their approach to hiring, training, and 'buying' specialist talent from the ecosystem. We think reskilling traditional IT professionals with is due to play a more prominent role in companies' talent strategies."

Automation as a Cybersecurity Boost

In addition to training, KPMG recommends using automation technologies to help close these gaps—giving workers "a boost." The report outlines some of the opportunity in this area.

  • Nearly one in four respondents have not yet begun to implement automation.
  • Thirty-eight percent of respondents are behind schedule in their automation-implementation programs.
  • Thirty-six percent of respondents have yet to deploy robotic process automation (RPA).
  • Of the respondents who have deployed RPA, nearly four out of five reported seeing a positive ROI.

"By using automation to shoulder the burden of repetitive tasks, existing staff can be upskilled to deliver other knowledge-based skills that are in high demand but short supply," reads the report. "Tapping this high-potential space is a prime opportunity for businesses to overcome the talent gap and ease the workloads of the human team."

Read more articles about: SecurityData Security

More from Data Security