Cyber Security Skills Gap: What can you do to Maximise your Resources?
In analysis / By Stephen Peak / 13 November 2019
The IT security sector is in crisis. The shortage of skilled professionals has become a pandemic, as organisations across the globe struggle to find the people they need to keep mission critical IT systems secure and compliant. The latest stats out this week reveal the number of unfilled positions has exceeded four million for the first time. This has repercussions far beyond the industry itself, of course.
Problems like this are notoriously hard to fix as it can take years before we find out if new strategies are starting to fill the talent pipeline again. So, what can organisations do in the meantime to stem the tide?
How bad is the skills gap?
The bottom line is; it’s pretty bad. According to estimates from certifications organisation (ISC), the global skills gap rose from 2.9 million professionals this time last year to 4.07 million this year — an increase of 39%. The shortfall in North America is 561,000, while in APAC it’s a massive 2.6 million, even in a region churning out science and technology graduates for fun. Europe has a smaller overall shortage – 291,000 professionals – but that figure has jumped 100% from last year.
Unsurprisingly, nearly two-thirds (65%) of the 3,000+ infosecurity professionals polled by ISC said their organisation was experiencing a shortage of cyber security staff, and over a third (36%) claimed this was their number one workplace concern.
These figures are backed up by other pieces of recent research. A Tripwire study from March found that 85% of organisations believe their IT security department is understaffed. And a poll of Infosecurity Europe followers this year revealed that nearly half (46%) are finding it difficult to encourage new talent into the sector. Meanwhile, industry body ISACA revealed that 69% of cyber security professionals believe they are understaffed.
Why does it matter?
It stands to reason that fewer in-house skills mean organisations are more exposed to cyber risk. Over half (51%) of respondents to the ISC poll admitted that their organisation is at moderate or extreme risk due to staff shortages. This couldn’t have come at a worse time.
Cyber threats are growing at a faster rate than cyber security professionals can contain them. Black hats have all the resources at their disposal of a $1.5 trillion cyber crime economy, offering off-the-shelf hacking tool kits and advice to launch a range of money-making attacks. Today’s security teams have to contend with phishing and social engineering, file-less malware, organised cyber crime gangs running coordinated Business Email Compromise (BEC) and other campaigns, information-stealing malware, and much more besides. One security vendor blocked over 26.8 billion unique threats in the first half of 2019 alone.
Security teams are overwhelmed by the scale of the challenge. A perfect storm of escalating threat levels combined with an explosion in corporate endpoints, including IoT devices and cloud systems, is threatening to submerge them in a tsunami of security alerts. It doesn’t help that competing security products may lead both to security gaps and overlapping alerts, while poorly configured tools mean many of these may be false positives.
At the same time, the stakes have never been higher. Consider the huge fines that GDPR and NIS Directive regulators could levy for mistakes that lead to serious breaches.
What can you do?
To put things in perspective, the global information security workforce needs to grow 145% to meet surging demand. That’s unlikely to happen any time soon. But there are some things you can do today to help at least cope with surging threat levels and compliance requirements.
Consider the following:
- Revisit your hiring strategy. Consider applicants from a broader range of backgrounds, potentially non-IT related professionals and graduates
- Consider retraining existing employees from the IT department or elsewhere
- Take a look at AI and automation tools which can help take the workload of stretched IT security teams. SIEM and incident response is one area where you could benefit, although analysts are still needed to act on alerts
- Improve security training and awareness of all staff, to provide a better first line of defence against phishing attacks. Remember to extend this to all employees, including temps and execs
- Consider outsourcing some of the security function to third-party experts. Managed IT partners can take the strain off your in-house team, by running secure infrastructure, security monitoring services and more
Every organisation is different, and there may be specific strategies that work best for you. When done properly, cyber security is ultimately the art of risk management. And one of the most pressing risks today is of not having the human resources you need to keep threats at bay.
If you'd like to speak to someone about your current security team or would like some advice on outsourcing to a managed IT provider, contact us today.