The exponential growth of the digital economy and our increasing dependence on it underscore the criticality of cybersecurity as a profession. To sustain today's global economy, the world requires 3.4 million cybersecurity experts. However, the industry is grappling with the challenge of bridging this substantial gap in talent. Sandeep Bhargava, SVP, Global Services and Solutions, Public Cloud Business Unit, Rackspace Technology, in an exclusive interview, suggests organisations be innovative and creative to ensure they can maintain sound cybersecurity in the face of a talent crunch.

Can you provide insights into the current talent landscape within the cybersecurity industry?

As companies continue to expand their IT infrastructure, the need for skilled cybersecurity professionals is also increasing. This has resulted in a cybersecurity professional gap, particularly in India, where the number of job openings rose by an alarming 40 percent to reach 790,000 positions in 2023.

This shortage is beginning to impact companies' ability to effectively address cyber threats with 58 percent of local businesses identifying the availability of personnel as their top challenge when it comes to threat detection and response.

The expanding IT infrastructure combined with the growing number of cyber threats makes it crucial to bridge the professional gap. Without proactively addressing this issue, companies run the risk of compromising their digital assets and suffering immense damage to their finances and brand reputation. At the same time, bridging the cybersecurity talent gap will prove to be a difference-maker for companies that look to edge out the competition.

In what ways do you foresee the shortage of skilled cybersecurity workers expected to evolve?

The Data Security Council of India (DSCI) predicts that local demand for cybersecurity professionals will reach a million positions in 2025 if the cybersecurity ecosystem continues its rapid growth. While both the government and private enterprises are taking steps to increase the number of individuals pursuing careers in cybersecurity, its impact will not be felt immediately, especially at the higher levels.

As experienced professionals retire or move into more advanced roles, the industry may face a shortage of individuals with the necessary expertise and experience to fill their positions. While the increase in new graduates entering the field can fill up entry-level roles, it will take more time for them to gain the necessary experience and qualifications for senior and mid-level cybersecurity positions.

Organisations will need to be innovative and creative in ensuring their cybersecurity posture in the face of a talent crunch. They will need to utilise and refine their strategies for attracting and retaining top talent, as well as upskilling existing employees, by leveraging the latest technological trends for more efficient cybersecurity practices. This could involve implementing artificial intelligence (AI) and machine learning (ML) solutions, automation, and advanced analytics to bolster cybersecurity capabilities.

What are the most pressing cybersecurity challenges or threats facing organisations today?

AI, especially generative AI, was the biggest thing in terms of technology in 2023 and the same will likely happen this year. In terms of cyber security, generative AI will likely be utilised in ways such as the creation of sophisticated phishing emails that mimic legitimate messages from trusted organisations, impersonation of individuals through deepfake videos and audio, and the automation of malicious software and malware creation.

Aside from the leveraging of AI by cyber criminals, the legitimate use of such technologies by enterprises also increases their attack surface and places greater strain on a cybersecurity posture that is affected by the talent crunch. One example is the individual, unsanctioned use of generative AI tools for work in which confidential company information may be shared with the AI tools and their models. While the users assume the data remains secure and confidential, they may potentially expose organisations to data breaches and compromise their security.

To address these challenges, many companies rely on off-the-shelf security products. However, evaluating the effectiveness of these products and ensuring their robustness across diverse technologies requires a multifaceted skill set from security professionals. They need to possess a deep understanding of AI and its potential vulnerabilities, as well as expertise in the broader cybersecurity landscape.

Are there any specific areas or domains within cybersecurity where additional talent is urgently needed?

With the increasing dispersion of enterprise data, cybersecurity professionals need to maintain a strong understanding of cloud technologies. The rise of multi-cloud environments, third-party analytics applications, and the proliferation of different departments using new tools and product releases have expanded the trusted compute boundary (TCB) of most organisations.

This expansion means that a single application can now span multiple data centres managed by various vendors, scattered across different geographic locations, all operating under diverse government regulatory requirements. Cybersecurity professionals must be well-versed in securing these complex and distributed networks.

Furthermore, the skills required in the cybersecurity field extend beyond just technical knowledge. Alongside technical proficiency, professionals now need to possess multifaceted skills that encompass areas such as physical security, policy creation, implementation, and people management.

Securing data goes far beyond technical expertise alone. It involves understanding the human element and the challenges that come with managing people. It has been observed that significant security breaches are often caused by either human error, such as individuals not following proper system hardening guidelines, or intentional malice, where employees with elevated access abuse their privileges. Therefore, cybersecurity professionals must possess the ability to address not only the technical vulnerabilities but also the human factors that can lead to breaches.

What initiatives or programs are needed to foster continuous learning and skill development among cybersecurity professionals?

To foster continuous learning and skill development, it is crucial to implement initiatives and programs that promote flexibility in how learning and skill development are defined. Beyond traditional methods such as earning certifications from organisations like Microsoft, Google, and AWS, learning should also encompass competency-building projects, customer solution creation, and time spent in coaching, mentoring, or peer-to-peer relationships.

One example of such an initiative is showcased by Rackspace Technology in which employees are encouraged to devote a minimum of 52 hours to learning and development. Aside from formal training activities informal, small-group conversations called Racker Chats also count in reaching the suggested 52 hours. These sessions feature senior leaders and take place over remote platforms to enable employees worldwide to connect, ask questions, and gain insights into various aspects of the business.

By incorporating flexibility, fostering peer-to-peer learning, and encouraging self-directed initiatives like team-led training sessions, organisations can effectively foster continuous learning and skill development among cybersecurity professionals to expand their knowledge base, enhance their skill sets, and stay up-to-date in an ever-evolving field.

Are there any constraints or challenges in terms of budget allocation for cybersecurity talent?

Fierce competition between businesses for professionals has resulted in a sharp spike in compensation. In the local market, salaries for lower and mid-level cybersecurity positions grew by up to 200 percent last year. But even if organisations are willing to open their purse strings, it has not automatically translated to success in attracting talent with a drop in recruitment conversion rates from 80 percent to 50 percent.

More importantly, the uncertain economic climate has dampened spending. Local cybersecurity spending rose by only 8.3 percent from 2022 to 2023, compared to 8.4 percent from 2021 to 2022. Despite its urgency, attracting and retaining cybersecurity professionals is competing with many budget priorities. Such significant increases in compensation has put an additional strain on organisations' budgets, forcing them to allocate even more resources to attract and retain cybersecurity talent.

Given these challenges, organisations are recognising the growing importance of external partnerships and adopting a collaborative approach to cybersecurity. Partnering with external experts and leveraging their specialised knowledge and resources can help bridge the talent gap and enhance an organisation's cybersecurity capabilities. By embracing external partnerships, organisations can navigate the constraints of limited budgets and resource availability while still maintaining a robust cybersecurity posture.