Nils Gerhardt , Chief Technology Officer Utimaco
There is a clear shortage of trained cybersecurity professionals and a need to close the gap. Although there has been a decrease in the skills shortfall over the last year (3.12 million to 2.72 million), the world is effectively missing the equivalent of a major city’s worth of workers to secure valuable data. This would be a major problem in ordinary times, but these aren’t ordinary times.
The effect of the last two years has meant that fraud is increasing while the ability for professionals and new entrants into the field is reducing. Additionally, new technology threatens to make existing cybersecurity skills obsolete and renders many of the forms of protection they rely on null. However, before we explore that threat and its ramifications, it’s important to look at the current problem.
Why is there a serious shortage of cybersecurity professionals?
Cybersecurity is a growing industry, with Germany seeing growth of as much as 165% in 2021, and cybersecurity professionals typically report very high job satisfaction. However, one of the major barriers to a skills shortage seems to be the complexity and ever-evolving nature of the role. It is difficult to keep up with a changing security ecosystem when cybersecurity teams are facing an increasing workload and burnout, and HR departments find it difficult to hire candidates with the right skills.
Many current cybersecurity professionals say that their companies don’t understand the skills necessary to work in cybersecurity, demanding an unrealistic level of experience and certification and ignoring the varied paths that people take into the profession. Because people with high levels of security training are rare, compensation needs to be set at a high level, and even though pay in the industry is typically very good it often falls short of what highly skilled and experienced people expect.
Cybersecurity skills shortage: an impending threat
This shortage in skills comes at a time of growing cybersecurity threats, but there is a way in which it can get worse. Quantum computing has long been theorised but only in the last few years have working prototypes emerged. By using the counter-intuitive effects that emerge at very small scales, where an object can be in two places at once or can ‘entangle’ with another object so that they continue to affect each other across time and space, scientists have developed computers with capabilities that far outstrip conventional computers based on a binary logic where everything is either a zero or a one.
This is a major problem for the cybersecurity industry because many forms of encryption that secure valuable data are not literally impossible to crack but so time consuming that it could potentially take billions or even trillions of years to do so. Imagine trying to guess a four-digit numerical PIN – it would take a maximum of 9,999 tries before you were guaranteed to get the right number. For an 8 character password that uses numbers and lowercase and uppercase letters that time increases to 92 years with a traditional CPU. The linked article shows how even with a $5,000 investment in graphics processing units this time can be taken down to minutes, hence why passwords are often longer and more complex. Clearly, guessing PIN numbers at an ATM or a password to a user account isn’t possible – both lock after a certain number of tries. But what if you had an encrypted file?
It is relatively easy for bad actors to acquire large amounts of data, but nearly impossible for them to make use of it because it is secured, often with Private Key Infrastructure (PKI). Although there are more efficient ways to crack this encryption than the simplistic ‘brute force’ attack outlined above, they also take a prohibitively long amount of time – unless an assailant is using the raw power of a quantum computer. This could lead to scenarios in which bad actors take data now and store it until they have access to quantum computers that can break its encryption. Most of this old data will be worthless or out of date, but there may be enough to damage an organisation’s finances or reputation.
Quantum-safe forms of encryption exist, and some are in use today, but ensuring that every part of a company’s infrastructure is safe from an evolving threat that is still only in the realm of theory is going to be a major challenge.
Cybersecurity in a post-quantum world
Governments, militaries, energy companies, banks and other organisations with critical data are already working to secure themselves against quantum computers. The US has recently worked to ensure that all of its information classified as ‘Top Secret’ and above be encrypted with quantum-resistant security. They aren’t the only organisations that will be affected – any and every company with a digital presence needs to reckon with this, and how to go about encrypting their existing data. This could potentially be a major project for even a small company, and people with the skills to do it are in short supply.
Identifying data that is vulnerable to quantum computing, finding ways to secure it and keeping up with new developments in this technology is a full-time job, and cybersecurity professionals are already overstretched. It is likely that existing cybersecurity professionals will need to train to understand the threat and continually update their training as the threat actualises, and that the training given to new cybersecurity professionals will have to change dramatically.
There needs to be a large-scale realignment in cybersecurity aimed at getting more qualified workers into the industry, helping decision-makers understand the issues and preparing the current and future workforce for a quantum computing age. This would undoubtedly involve all corners of the security ecosystem, including professional bodies, the education sector, and technology providers who can provide the hardware, software and solutions that security professionals will use.
Preparing to be quantum secure will be a major project, but it is essential.