The pandemic transformed the workforce for organizations across all verticals, with employees quickly and unexpectedly transitioned from offices to working from home. The new year brings more complications. Vaccine distribution could mean a return to offices, but most experts expect a new hybrid model to emerge. Pile that on top of the already challenging situation posed by a supposed skills gap and efforts to improve diversity, and 2021 will introduce an array of workforce shifts across the community.

As part of our year in review, which looked at critical events during the last year and how they might influence 2021, SC Media collected predictions across a range of categories from cybersecurity experts. Here, experts offer their perspectives on the 2021 cyber workforce. 

There will continue to be more security jobs than people to fill the roles, says Florindo Gallicchio, managing director at NetSPI:

“Security leaders will be challenged by filling roles that require candidates with mid- to senior- level experience – and entry level job openings will continue to be in high demand. Because of this, companies will need to do more with fewer people. This will result in increased adoption of program-level partnerships with third parties or using vendors to fill in-house positions at scale.”

A skills gap crisis will emerge in the U.S. government, says David “moose” Wolpoff, chief technology officer and co-founder at Randori:

“Chris Krebs’ unceremonious post-election ousting may be the proverbial sour cherry on top of the Trump administration’s treatment of cybersecurity talent in the Wihte House. Under the administration, turnover at the senior leadership level of the National Security Council was record-breaking and we will witness the first downstream effects on our national global cybersecurity ability in 2021. U.S. national cyber policy and our global cybersecurity posture will take a hit, and tactically but crucially, government hiring of cyber talent will stall. These will have lasting impact on our cyber leadership that will take 10-20 years to correct.”

The remote workforce will spell the end of endpoint protection, says Kevin Peuhkurinen, principal research director of security, risk and compliance at Info-Tech Research Group:

“A permanent remote workforce, especially one that is geographically disperse, will drive organizations to adopt bring-your-own-device and bring-your-own-PC strategies, heralding the end of traditional IT endpoint protection. In the past, organizations could mitigate the risks of employee-owned computing devices through the use of virtual private networking (VPN) software which could look for and enforce security controls. But with the growing obsolescence of VPNs, companies will need to come to grips with the growing presence of untrusted devices in their midst.”

The cybersecurity skills gap will close as employers look to transferable skills over certifications, says Alyssa Miller, cybersecurity advocate at Snyk:

“This year there will be 2-4 million open positions in the cybersecurity industry that will go unfilled. To close this gap, employers need to reimagine how they search for talent. Currently employers seek candidates with the right background, skills and certifications, however this leaves a very small pool of candidates to fill an ocean of jobs. Employers will begin to shift their mindset when it comes to hiring and identify relevant soft skills that are transferable to the cybersecurity sector and focus on hiring from those groups.”

DevSecOps will be the most sought-after enterprise cybersecurity skill set in 2021, says Edward Giaquinto, chief information officer at Sectigo:

“For SaaS providers, application security (DevSecOps) will be the most desirable skill set. SaaS consumers are increasingly aware of the security posture of the partners they engage with. If SaaS providers are not performing security due diligence around the software and services they provide, they will not be successful in today’s market. For the typical enterprise, your standard security engineer, responsible for monitoring the day-to-day status of that enterprises’ cybersecurity-posture, will be the highest-desired skill set.”

Pandemic-led pressure cracks insiders and drives bad decisions, says David Higgins, technical director at CyberArk:

Economic uncertainty and the move to remote work and school has put many in unchartered territory.  These new challenges could likely drive more employees to make poor decisions when it comes to cybersecurity and create a whole new wave of insiders.  Attackers are increasingly offering employees with privileged access tempting financial incentives to share or ‘accidentally’ leak their credentials. In addition, privileged access on the dark web is more popular than ever, with some reports indicating that attackers will pay a premium for privileged access to a corporate networks, VPNs and workstations. The potential financial payoff, combined with increased economic anxiety, will drive new threats that organizations will struggle to deal with.”

Women and single parents will continue to be disproportionately impacted by the pandemic, says Carolyn Crandall, chief security advocate and chief marketing officer at Attivo Networks:

“Women are often still viewed as the primary caregiver for children, and as long as we remain in this remote work situation, it will be devastating for a lot of women’s careers. Many will be forced to take a break from their careers, or to choose a less strenuous career path that allows them to juggle and balance these roles.”

CISOs will battle infosec budget fatigue with threat intelligence data, says Jason Fruge, vice president of business application cybersecurity at Onapsis:

“Historically, security teams received the most financial freedom compared to general IT teams for fear of a spending cut, post-data breach. In 2021, however, CISOs will be pressured more than ever to show threat intelligence data to justify security expenditure and move past infosec budget fatigue. They will have to make a strong case using business analytics to highlight security inadequacies to get the budgets they’ve historically had discretionary spending over. Now, only CFOs will have total discretion to spend money whenever they see an issue and they will require additional data to be convinced.” 

DevOps and DevSecOps will evolve into “platform teams” in many organizations, says Liz Rice, vice president of open source engineering at Aqua Security:

“New ‘platform teams’ will take the lead on enterprises’ strategy for what historically been within the purview of cloud operations, security, and development tooling functions, to provide a higher-level abstraction to application developers. This frees the developers to focus on the business application itself, with less concern about the underlying infrastructure often required by DevOps-oriented teams. One challenge here will be finding the talent able to take this broader architectural view.”

New insider threats will emerge post COVID, says Kevin Peuhkurinen, principal research director, security, risk & compliance at  Info-Tech Research Group:

“The new normal will usher in an era of permanent remote work that will combine with a new corporate gig economy fueled by freelancers, resulting in a new insider threat landscape. Delivering effective security awareness and training to a remote workforce will create additional challenges; the days when cybersecurity teams could spend their time putting up posters in hallways and lunchrooms are gone. Providing security education to a growing cohort of untrusted remote employees and freelancers will require new, innovative approaches to awareness.”

Activism morphing into hacktivism’ will become a major issue, says  Johanna Baum, founder and CEO of security consulting firm, Strategic Security Solutions:

“We have a generation of employees that feel it is their moral imperative to sabotage organizations when they feel it isn’t towards their definition of the greater good.  When social activism is done effectively, it can have a powerful positive impact on the direction of an organization. Unfortunately, it’s also often based on misguided principals that can leave an organization divided and facing a misinformation campaign against itself. When it comes to risk management, companies need to evaluate their employees as an internal threat, in addition to their IT and corporate assets. Employees also have about a million anonymous or named platforms to make this happen in a matter of seconds (without any vetting).”

Original article source was posted here