In recent years, many virtual column inches have been dedicated to discussing the cyber security skills gap. According to the Global Information Security Workforce Study (GISWS) by Frost & Sullivan for the (ISC)2 foundation, a shortfall of 1.5 million security professionals is forecast by 2020. These are large numbers, but it’s important to remember that skills shortages and surpluses aren’t unique to information security, so it’s useful to understand both the dynamics of the employment market as well as some things that organizations can do to reduce the impact that a skills shortage can have on them and their security teams.
If we look more closely at what the “cyber security skills gap” covers, there are at least three broad areas which are worth defining, as they all have a part in contributing towards the current deficit that the industry is facing.
1. Skills Shortage:
A skills shortage occurs when there simply aren’t enough workers who are qualified, available, and willing to work under the existing market conditions.
2. Skill Gap:
A skill gap refers to a situation where employers are finding workers to employ, but those workers are considered under-skilled, lacking some of the skills that are needed in their positions. Another aspect of this could be that in today’s ever-evolving security market, a company’s existing workforce might prove to be under-skilled relative to a desired level or benchmark.
3. Recruitment Difficulties:
These refer to situations where there is an ample supply of qualified candidates in the market, but employers are not able to fill their vacancies. This can be due to poor pay, non-standard working hours, or commuting challenges.
One thing to bear in mind is that the information security industry isn’t one homogeneous discipline; rather it’s made up of many sub-disciplines. Using the medical field as an analogy, a lack of heart surgeons doesn’t necessarily equate to a lack of all doctors overall. Similarly, not all areas of information security have similar gaps, or indeed concerns. In the aforementioned (ISC)2 study, 72% of respondents were concerned about application vulnerabilities with only 48% worried about cyber terrorism.
With these factors in mind, there are a few things enterprises can do in order to minimise the chances or impact of information / cyber security skill shortages.
1. Outcome-based security
It’s easy for enterprises of all sizes to fall into the trap of wanting to implement security controls that they see others implementing. Often this takes the shape of adopting a standard such as ISO27001, or other ‘best practices’. Whilst this is a safe approach, it doesn’t take into account what an individual company’s requirements are with regards to the actual security risks it faces.
By first formulating the security outcomes that a company requires in alignment with its business requirements, it can develop a more efficient and potential leaner security organization that only deploys security controls and resources where most needed.
2. Closing Gaps
In some cases, a skills gap can be filled by personnel in other departments or areas of the organization. For example, while the production of a compliance report may be a security function, it doesn’t need to be executed by the security team itself.
Similarly, enterprises should evaluate which security roles could be filled by providing additional training to existing non-security staff.
Finally, at times, companies may need to get creative about how and from where they recruit people. For example, offering the opportunity to work remotely could not only successfully attract talent that is unable or unwilling to relocate.
Another avenue is to revisit hiring guidelines and review for appropriateness. Is a university degree really a mandatory requirement to hiring a security professional? Even FBI director James Comey alluded to obstacles in recruiting some of the best talent due to being unable to hire anyone that has used marijuana.
3. Technology Consolidation
Throwing technology at security challenges may appear to be an easy way to address a problem, but this approach very often creates more problems than it solves. It is common to see multiple security products, often with overlapping features, deployed within an enterprise. While this deployment of a variety of point solutions is traditionally referred to as providing “defense in depth”, Rick Holland coined the phrase, “expense in depth”, because such a complex security infrastructure becomes extremely expensive and difficult to deploy and manage.
This expense is not just restricted to the capital required for purchasing, but the ongoing maintenance of the product. It also often means that staff need to be trained, or new staff recruited in order to administer the new technology product. Often times these are advertised as security jobs - but in reality are simply glorified technology administration roles.
A better approach would be to look for pre-integrated or unified technologies that have multiple features. Some may argue that the individual features of a unified product don’t stack up against point products, the reality is that very often the whole is far greater than the sum of its parts, and affords a wide array of benefits, particularly to reduce the number of personnel needed to manage it.
There is undoubtedly a shortage of adequately skilled security professionals in many areas of information security. However, simply throwing more money in the hope of attracting new talent is not a sustainable strategy. Enterprises should evaluate their security strategies in line with business goals and objectives. In doing so, they might be able to reduce the burden of having to almost continually recruit new talent. At the very least, this could bring about a higher degree of efficiency through a consolidated and streamlined security technology stack.