Success for MSPs depends on the company's ability to attract qualified team members. However, when it comes to security services, MSPs face an ongoing cybersecurity talent gap.
The worldwide shortage of security skills has hampered IT organizations for years. In 2020, the gap between open cybersecurity positions and those employed narrowed globally from about 4 million in 2019 to 3.12 million, according to (ISC)2, an association for cybersecurity professionals. In the U.S, the cybersecurity talent gap shrank from about 498,000 to 359,000.
Hiring and retaining cybersecurity talent remain challenges for many organizations, said Shannon Woody, security consultant and vCISO, cyber defense, at Synoptek, an IT consultant and MSP based in Irvine, Calif.
"MSPs in particular need talent that can morph and shift with the changing needs of multiple clients all at once," Woody said. "MSP talent needs to be flexible. Part of the huge value in engaging with an MSP is that the MSP can take advantage of economies of scale by standardizing a lot of the bread-and-butter cybersecurity hygiene practices. [MSPs can also] home in on the items that are unique by necessity for each client."
Growing skills internally
The turbulent conditions of 2020 underscored the cybersecurity talent gap. As organizations went remote and increasingly digital, they introduced new vulnerabilities. The surge in high-profile security breaches only exacerbated cybersecurity concerns.
"There's a massive gap in the amount of talent that's needed in the cybersecurity industry, and it can be very difficult to find people with the right background," said Bart McDonough, founder and CEO of Agio, a New York-based managed IT and cybersecurity provider.
Cybersecurity professionals generally fall into two categories, according to McDonough.
- In the first category, professionals are typically operationally focused and deployed in detection and response roles. "These analysts proactively hunt for cyberthreats and reactively review event-by-event information," he said.
- The second category consists of governance-focused consultants. These consultants conduct in-depth analyses of security posture and provide recommendations.
To offset the talent shortage, many MSPs have begun to invest in cybersecurity training, which can lead to cost savings and retention.
"MSPs are subject to similar issues in the cybersecurity talent gap as everyone else," Woody noted. "Cybersecurity leaders these days must understand that talent rarely comes in 'fully baked' and will need time and attention to train up. The ideal hire will want to grow and morph their skills base."
In September 2018, Agio launched an internal training program, dubbed Agio Academy. "Because IT and cybersecurity challenges are increasingly merging and often overlap, we can cross-train our IT individuals to become cybersecurity experts, ultimately creating more well-rounded talent," McDonough said. "We're taking it upon ourselves to narrow the [cybersecurity] talent gap by offering training and certification opportunities for our employees."
Supplement the team with AI
While MSPs work to fill positions, some firms have offloaded work to AI systems.
"The amount of incoming information that can be analyzed by any one person is almost impossible," Woody said. "I prefer to augment [teams] with tools that can [handle] those rote tasks: logging and monitoring [and so forth]."
Bart McDonoughCEO, Agio
Woody pointed to the latest crop of anomaly detection systems as helpful tools.
McDonough, meanwhile, highlighted compliance as a promising field for emerging technologies. Agio deploys bots to collect compliance-related data, which human team members can then analyze and synthesize to deliver actionable recommendations to clients, he said.
"When it comes to threat detection and response, we're strong believers that artificial intelligence brings a great deal of promise by alerting our analysts to the most critical issues in a client's environment and directing their attention to the right ones at the right time," McDonough added. "Ultimately, it allows analysts to focus more on signals and less on noise."
However, while advancements in automation tools can boost security efforts, humans remain critical to the process, McDonough said. "We still need humans to use their analytical capabilities and judgment to determine if the alerts presented by our technology are actually issues that need attention," he said.