Cyber Security Skills Gap: What Can you do to Maximise your Resources?
In analysis / By Stephen Peak / 13 November 2019
The IT security sector is in crisis. The shortage of skilled professionals has become a crisis, as organisations across the globe struggle to find the people they need to keep mission-critical IT systems secure and compliant. The latest stats out this week reveal the number of unfilled positions has exceeded four million for the first time. This has repercussions far beyond the industry itself, of course.
Problems like this are notoriously hard to fix as it can take years before we find out if new strategies are starting to fill the talent pipeline again. So, what can organisations do to address the cyber security skills gap and maximise their resources in the meantime?
How bad is the skills gap?
The bottom line is: it’s pretty bad. According to estimates from certifications organisation (ISC), the global skills gap rose from 2.9 million professionals this time last year to 4.07 million this year — an increase of 39%. The shortfall in North America is 561,000, while in APAC, a region which has many science and technology graduates, the shortfall is a massive 2.6 million. Europe has a smaller overall shortage of 291,000 professionals, but that figure has jumped 100% from last year.
Unsurprisingly, nearly two-thirds (65%) of the 3,000+ infosecurity professionals polled by ISC said their organisation was experiencing a shortage of cyber security staff, and over one third (36%) claimed the cyber security skills gap was their number one workplace concern.
These figures are backed up by other pieces of recent research. A Tripwire study from March 2019 found that 85% of organisations believe their IT security department is understaffed. A poll of Infosecurity Europe followers, which was carried out this year, also revealed that nearly half of existing businesses (46%) are finding it difficult to encourage new talent to join the IT sector. Meanwhile, industry body ISACA revealed that 69% of cyber security professionals believe they're understaffed.
Why does it matter?
It stands to reason that fewer in-house skills mean organisations are more exposed to cyber risk. Over half (51%) of respondents to the ISC poll admitted that their organisation is at moderate or extreme risk due to staff shortages. This couldn’t have come at a worse time.
Cyber threats are growing at a faster rate than cyber security professionals can contain them. Black hats have all the resources at their disposal of a $1.5 trillion cyber crime economy, offering off-the-shelf hacking tool-kits and updated advice to launch a range of money-making attacks. Today’s security teams have to contend with phishing and social engineering, file-less malware, organised cyber crime gangs running coordinated Business Email Compromise (BEC) and other campaigns, in addition to information-stealing malware; and much more besides. One security vendor blocked over 26.8 billion unique threats in the first half of 2019 alone.
Security teams are overwhelmed by the scale of the challenge. A perfect storm of escalating threat levels combined with a sudden surge in corporate endpoints, including IoT devices and cloud systems, is threatening to submerge them in a tsunami of security alerts. It doesn’t help that competing security products may lead both to security gaps and overlapping alerts, while poorly configured tools mean many of these alerts may be false positives.
At the same time, the stakes have never been higher. Consider the huge fines that GDPR and NIS Directive regulators could levy for security mistakes that lead to serious breaches.
What can you do?
To put things into perspective, the global information security workforce needs to grow 145% to meet surging demand. That’s unlikely to happen any time soon. But there are some immediate changes your business can make today to help cope with surging cyber threat levels and increased compliance requirements.
Consider the following:
- Revisit your hiring strategy. Consider applicants from a broader range of backgrounds; potentially non-IT related professionals and graduates
- Consider retraining existing employees from the IT department or elsewhere
- Take a look at AI and automation tools which can help take the workload of stretched IT security teams. SIEM and incident response is one area where you could benefit, although analysts are still needed to act on alerts
- Improve security training and awareness of all staff, to provide a better first line of defence against phishing attacks. Remember to extend this to all employees, including temps and execs
- Consider outsourcing some of the security function to third-party experts. Managed IT partners can take the strain off your in-house team, by running secure infrastructure, security monitoring services and more
Every organisation is different, and there may be specific strategies that work best for you. When done properly, cyber security is ultimately the art of risk management. And one of the most pressing risks today is not having the human resources you need to keep threats at bay.