There’s Something Strange In The CVE Woods, Who You Gonna Call?
Last week, the number of CVE vulnerabilities received and analyzed by the National Vulnerability Database for 2022 surpassed the total number of CVEs for 2021. With nine weeks still left in 2022, we are on pace to crush last year’s record of vulnerabilities. And we are bound to set another record in 2023. When we shifted our infrastructure from on-prem server rooms to the cloud, we shifted to new types of vulnerabilities — imagine what sort of vulnerabilities are in store for us 10, 20, and 30 years ahead, like when quantum encryption advancements become a reality.
Meanwhile, the number of experienced staff available to assess, prioritize, and mitigate the risk of increasing — and increasingly complex — vulnerabilities is shrinking. ISC2 reported a 26% global increase in cybersecurity workforce gaps in its 2022 Cybersecurity Workforce Survey; 48% of respondents reported lack of time for proper risk assessment, and 39% reported slowness to patch critical systems as a result. And the vulnerability analysts who truly understand the risk of the ins and outs of the newest technologies are busy building and maintaining them.
So, vulnerability programs have historically high volume and staff shortages. Vulnerabilities are bound to increase, and according to US Bureau of Labor of Statistics, demand for information security analysts is set to increase 35% by 2031. Unfortunately, vulnerability teams are already behind.
Hire For The Potential, Then Train For The Gaps
Security and risk pros must diversify recruitment pools to identify the appropriate staff required to assess, prioritize, and mitigate risk of vulnerabilities. There are plenty of ways to apply different backgrounds and experiences toward the skills and attributes required of a vulnerability risk analyst. Consider that those with backgrounds in law enforcement, military, journalism, or finance are preparing reports, procedural findings, and initiating the necessary steps to mitigate escalations. Vocational trades, like plumbers or electricians, as well as healthcare professionals are assessing issues, analyzing multiple factors, and identifying root causes. Although these backgrounds might not yet have the technical knowledge to join vulnerability teams as immediate rockstar analysts, they possess applicable experience, skills, and abilities necessary for the role — including those listed from the National Initiative for Cybersecurity Careers and Studies.
Knowledge can be gained. So can skills, attributes, and abilities — but they are much more inherent and natural for some individuals. If you can recruit those who display the right skill sets onto your teams, you can always make up for what they don’t know by leveraging training platforms, certification programs, and vendor-specific learning modules.
Let’s remediate the vulnerabilities in our self-inflicted staffing shortage with a willingness to bring in staff with nontraditional backgrounds and invest in their knowledge. I’m pleased to announce two new reports that provide analysis, steps, and tools to do just that: How To Manage Your Vulnerability Risk Program Amidst Skill And Labor Shortages and the Vulnerability Risk Analyst Role Profile. Forrester clients can view and utilize these reports to begin their vulnerability management staffing transformations, better understand challenges of vulnerability teams today, and maximize strategies to minimize staffing shortages. Clients can also schedule an inquiry with me.
See You In Washington, D.C. (Or Virtually)
Please join us at Forrester’s Security & Risk Forum in Washington, D.C. on November 8 and 9. There are virtual options available as well. I will be talking about these vulnerability risk management themes during my presentation Reinventing Your Vulnerability Program to Regain Trust, including how vulnerability teams initially spooked by Spectre should have been saying “I ain’t ‘fraid of no ghost!” I hope to see you there!