The cybersecurity labor shortage is in full swing, and organizations worldwide are feeling its effects. In our latest ebook, we suggest three strategies to help security leaders navigate the labor shortage.
Today, we’ll explore one of those strategies: modernizing your PKI, which can be a boon for your IT and security teams’ efficiency, as well as your organization’s security posture. But first, it’s worth taking stock of the myriad factors in the cybersecurity labor shortage.
Understanding the cybersecurity labor shortage
The labor shortage isn’t a problem that will resolve itself quickly. Its symptoms and ramifications will hold major implications for the business world for years to come — even as the current demand for cybersecurity talent is outpacing the workforce.
The labor shortage isn’t a new problem either. Cybersecurity Ventures reports that 2013 saw one million unfilled cybersecurity roles worldwide. A 2022 Cybersecurity Workforce Study by (ISC)² showed that the cybersecurity labor pool reached an all-time high in 2022 at 4.7 million workers — an 11% increase since 2021. However, the workforce gap widened by 26.2%, creating a global shortage of 3.4 million workers. More than 700,000 of those vacant positions are in the U.S.
Cybersecurity Ventures asserts that the labor shortage is leveling off but not decreasing. They predict that the current gap of 3.4 million workers will hold steady through 2025.
The business risks of a short-staffed security team are high
A study from Trellix shows that the shortage affects 85% of organizations’ security posture. The (ISC)² survey polled cybersecurity professionals about the biggest obstacles exacerbated by the shortage.
- Misconfigured systems (32%)
- Insufficient time for proper risk assessment and management (30%)
- Excessive lag time in patching critical systems (29%)
- Oversights in procedures and processes (28%)
- Inability to stay ahead of active threats against company networks (27%)
- Rushed deployments (27%)
These vulnerabilities can potentially disrupt business operations significantly, and no organization is immune. Crypto.com, the Red Cross, Microsoft, Cash App, and others suffered notable breaches in 2022. IBM’s Cost of a Data Breach report found that 85% of organizations suffered a breach — many experienced more than one.
To compound the consequences, the cost of a breach has never been higher. IBM estimates that a data breach in the U.S. costs an average of $9.44M, with breaches in the healthcare industry costing even more — $10.10M on average.
Certificate outages are becoming just as big of a concern as phishing attacks and compromised credentials
Though IBM found that phishing attempts and compromised credentials were the most frequent and costly cause of breaches, certificate outages are becoming more common and more expensive.
Keyfactor’s State of Machine Identity Management 2022 Report found that 81% of organizations have experienced at least two or more disruptive outages caused by expired certificates in the past two years, with the average organization suffering four certificate-related outages. The average cost of a certificate outage for a global 5,000 company came in at $15M.
- The volume of certificates used by the average enterprise numbers well over a quarter million.
- Three-quarters of organizations say the growing use of digital certificates and keys has significantly increased the operational burden on their IT organization.
- Decreasing certificate lifecycles pose a challenge. In 2020, certificate lifecycles were cut in half, from 27 months to 13 months, essentially doubling the work and risk of maintaining them for organizations that lack mature public key infrastructure (PKI) processes.
Pandemic-driven burnout is a significant contributor to the labor shortage
CyberSN, a cybersecurity job board, reported that resignations in the cybersecurity field had risen around 20% since the pandemic’s start. Before the Covid 19 pandemic, cybersecurity workers on both the East Coast and the West Coast cited a lack of growth opportunities as their top reason for resigning. Notably, burnout did not make the top five reasons for quitting a role on either coast. Contrast that to today, where burnout is the top reason for resignation on the West Coast and the second-highest reason on the East Coast, accounting for 30% of resignations for each.
A modernized, automated PKI gives cybersecurity teams more bandwidth
Many cybersecurity teams waste hours on operational tasks that could be easily automated, freeing them up to focus on other responsibilities. Beyond time savings, automation can also have other positive impacts on the business, as it can alleviate the risks associated with misconfiguration due to human error. IT and security teams that manually manage their organization’s PKI are challenged with barriers, including:
- A lack of expertise creates downstream inefficiencies
PKI is an unforgiving endeavor. It must be designed perfectly from the very outset because certain elements, once set in place, are impossible to alter without a restart of your PKI project. Generalist teams rarely possess the expertise to get PKI right the first time, which creates more work for them in managing and maintaining PKI.
- Manual processes inhibit scalability
The process of requesting, creating, issuing, and tracking certificates is tedious and manual. According to Keyfactor’s State of Machine Identity Management 2022 Report, 42% of respondents still use spreadsheets to track certificates. This undoubtedly costs your team hours upon hours each week.
- A lack of centralization obscures visibility
Keyfactor’s State of Machine Identity Management 2022 Report shows that enterprise-wide visibility into the status of all certificates is the top priority for PKI teams. The complexity of achieving this visibility makes it a job unto itself. Without a centralized hub for managing PKI, teams can’t lay the groundwork for automation or act proactively to prevent certificate outages.
To weigh the viability of automating your PKI, there are a few factors to consider.
Evaluate the current state of PKI
Consult with the teams and leaders who touch the PKI process to understand how certificates are managed and how much time it takes to provision, install, and renew them.
This team can help map out your organization’s certificate authority (CA) infrastructure, which applications require certificates and the workflows around managing certificates. With the big picture in hand, you can better assess the total cost of ownership around your current PKI strategy. The following questions will help capture the total cost of ownership around your PKI management processes.
- How many hours are spent managing PKI per week and month, and what is the dollar amount attached to those labor costs?
- How much does your organization spend on PKI-related tools and licensing fees?
- How often do your organization experience certificate-related outages?
- How long does it take to respond to a certificate-related outage?
- How much do you lose in downtime, process disruption, lost opportunity, and reputational damage due to these outages?
Assess the price of staying the course
The burden of inefficient PKI management and infrastructure isn’t static. It will grow over time as certificate usage increases, compliance regulations escalate, and the risks of a breach become more severe. Doing nothing comes at a cost, a cost you should consider while evaluating a PKI investment.
Note that organizations that entrust PKI to general IT and security teams do so at the expense of their primary duties. When these teams are forced to choose between those primary duties and managing PKI, PKI will almost always come second. This is only natural, but it comes with a dollar amount that will only increase as organizations endeavor to do more with less staff across all departments.
- What are the risks in your current PKI process, and how will those risks heighten over time (including compliance)?
- If the team members handling PKI at your organization had more hours to devote toward their primary, non-PKI responsibilities, how much value would that drive for the business? How much of this value are you losing out on as PKI becomes more unwieldy, taking up more of these team members’ time?
- Are PKI duties detracting from team members’ effectiveness in their primary roles? For instance, are issues slower to be resolved, or are you paying team members overtime to complete the full scope of their work? At what point will the workload demand a new hire, and what does that cost?
- As your use of PKI scales with your current process, your issues will scale, too. At what rate will they become more frequent and severe? What is the breaking point for your organization? How much will that breaking point cost, and how much will it cost to recover?
While automation requires a substantial investment in technology, it’s a huge win for organizations that can recapture lost efficiencies – which has a direct financial benefit in a tight labor market.
Define success for your modernized PKI
PKI management can and should enable automation, visibility, scalability, and a preventative, proactive approach. Once set up, maintaining and managing PKI becomes less of a burden.
- If your current PKI team could automate, scale, and be proactive in managing PKI, how much bandwidth would that return to them that could be focused on other security and IT tasks? What about if you could take PKI off of their shoulders completely?
- What are the infrastructure-level efficiencies that will be created by modernizing PKI, and how do those efficiencies translate to reduced costs or higher revenue?
- Between fewer outages and more effectively-spent manhours, how long will it take for your solution to pay for itself?
Efficiency gained through automation mitigates burnout
Cybersecurity and IT professionals are passionate about the hard work they do. They aren’t burning out because of overwork — they’re burning out because of needless work. The most often overlooked way to change the efficiency curve is to find and eliminate manual processes in favor of automation.
And while the rise in cyber-professional wages will undoubtedly draw more workers to the industry and eventually quell the labor shortage, experts believe it takes anywhere from two to five years to become proficient in a cybersecurity profession, creating a long lead time for developing and sourcing talent.
Fortunately, the future is not all bleak. We still need to focus on fixing the labor shortage, but it’s also imperative for organizations to adopt technologies that can help their existing cybersecurity teams work more efficiently. These technologies can go a long way toward resolving the challenges we face today.
Need help advancing your cybersecurity efforts?
Keyfactor helps companies (including those with under-resourced teams) secure every digital key and certificate for multi-cloud enterprises, DevOps, and embedded IoT security. Click here to learn more about what we offer, including how our Cloud PKI-as-a-Service offers every organization access to an elite team of cybersecurity experts.
To learn more about how a modernized approach to PKI can help your cybersecurity team become more efficient, download our new ebook: Three Strategies to Help Security Leaders Navigate the Cybersecurity Labor Shortage.