By Jake Milstein, Critical Insight

We all know people who have left their jobs in the past year. They might be friends, family, coworkers, or even the person reading this article. The Harvard Business Review calls it “a tidal wave of resignations.” In July 2021 alone, 4 million American quit their jobs, resulting in a record-breaking 10.9 million open jobs at the end of that month.

No matter the various reasons for people leaving their jobs, the organizations they depart, big and small, are left with holes. When an employee leaves, they don’t just take with them the functions of the job; they also take the institutional knowledge they accrued, as well as the investments made in their training and development. And some of that loss is the only institutional cybersecurity knowledge of the organization.

To take a few area examples, I know of a hospital that has a cybersecurity team of 30 people—or at least, they have 30 slots on their team. Last I heard, they had 20 open positions coming into fall 2021. Another hospital had its CISO leave. An IT director for a somewhat rural city left, and finding a replacement is now estimated to take six to nine months. The IT manager for a port had an employee quit at the beginning of the pandemic and has been looking for a security analyst for more than a year, but they keep losing candidates to higher salaries at bigger agencies and organizations.

The cybersecurity talent gap

Even before the pandemic, knowledgeable security personnel were not plentiful. In 2017, articles with titles like “Cybersecurity has a serious talent shortage” were predicting 1.5 million unfilled positions by 2020. In the wake of the pandemic and Great Resignation, the actual shortfall is now much worse. The Biden administration is trying to do something about it, but the wave of job-changing is not letting up.

When the IT and security folks (sometimes that’s the same person) leave their jobs, it creates gaps in security operational tasks. Here’s a real-world example: An IT director was diligent about implementing patches on a monthly schedule. They would take down the appropriate assets on the network late at night and do the patching they needed to do. But then that person left. The organization knows it needs to do the patching, but who will do it? And can they get away with patching less regularly? (Hint: The answer is no.)

The bad guys know

The criminals are onto us, of course. They know about the skills gap, they know about the talent gap, and they know people are leaving their jobs. And they are taking advantage of it. Criminals are watching patches get released and then going out to attack organizations that don’t apply the patches quickly.

For the non-IT folks, here’s an analogy: Let’s say there’s a lock on your front door, and the manufacturer recalls it because you can open it with a blank key. But you ignore the recall notice or just don’t get around to replacing the lock. A criminal who has seen the recall notice walks your neighborhood looking for that lock. They spot yours and know they can use the blank key to open your door.

It used to be that criminals didn’t go after vulnerabilities quickly. That changed, and now some patching needs to be done urgently (for more, see “Patch Game,” at left). But without the staff to do the work, who does it?

Patching is just one thing that doesn’t get done when there’s a dearth of security personnel. Other things that fall by the wayside include audits, employee security training, upgrading defenses, monitoring for attacks and attackers in the system, and updating preparedness documents. One organization had a well-documented call tree of whom to alert in case of a cyberattack, but half the people on the call tree had left the organization.

The consequences

You know the consequences of bad cybersecurity hygiene. Even organizations with good security postures have fallen victim to ransomware attacks. The year 2020 saw 304 million ransomware attacks worldwide, which was a rise of 62 percent year over year.

The solutions

Organizations that had decided to do all of their cybersecurity in-house are now facing the new reality that they can’t find the employees. Others that never had big staffs are recognizing the need for better security. For both types of organizations, they can choose two paths: automation or outsourcing. There’s a plethora of companies that promise to fix cybersecurity problems with software alone, and they certainly can help. But someone must be watching the alerts on that software, so the talent gap potentially remains.

Other organizations are looking to outsource their people problem with a partner to whom they can hand off 24/7 monitoring, get help with vulnerability scanning, and get help with incident preparedness. Especially until the Great Resignation trend works itself out, turning to managed and professional cybersecurity service firms can help reliably fill those gaps and improve outcomes.

Jake Milstein is the chief marketing officer at Critical Insight, a Bremerton-based information security company that provides systems assessments, vulnerability testing, planning, regulatory compliance, and other IT and cybersecurity services.

For more information: criticalinsight.com