There is a looming crisis in information security that will necessitate that businesses change how they manage their security efforts.
While there will always be new attacks and methodologies with which to contend, it’s the growing shortage of skilled cybersecurity resources that is poised to cause enterprises heartache for the foreseeable future. Already in 2016, the No. 1 concern of enterprises is access to skilled resources.
Think of how dire the shortage actually is for that to rank above a potential data breach as a concern. And it’s poised to get much worse. Forbes predicts there will be 1 million global cybersecurity positions available in 2016. Those shortages are predicted to grow to a quarter of global cybersecurity positions remaining unfilled by 2019. To be precise, that’s 1.5 million out of 6 million total positions that are expected to remain vacant in three short years.
The real trouble is in how greatly these shortages will compound the daunting problems security already faces. As is, the costs associated with cybercrime, the number of successful attacks organizations suffer and the costs to contain security incidents all continue to rise. A job crunch will not improve those numbers. Nor will continuing to rapidly adopt new functionality without building the proper security infrastructure beneath it.
Even with automation, skill matters.
The Internet of Things is the perfect example of that phenomenon, let alone the security implications of millions of newly connected devices. For already stretched thin security practitioners, that means more data to account for, more tools to manage and more reports to coalesce and generate. The problems from being understaffed can escalate quickly.
Organizations should actively prepare for the issues stemming from a lack of qualified cybersecurity professionals. Automating security tasks when possible, exploring new staffing models and investing smartly in security resources are critical to combatting the job crunch.
Automate testing procedures to increase coverage and spare resources
Corporations are by necessity going to have to rely on tools that can automate significant portions of their security testing. There are simply too many parameters to test, and not enough time to think otherwise. Continuous monitoring and scanning are key areas where corporations can employ highly automated solutions that offer good ROI. Granted, even with automation, skill matters.
The more fine tuning and configuration you give security tools, the better they will perform, and the less results will need to be inspected. We’re simply never going to get to that place where you can push a button and get the results you need. However, automation will be a key way organizations can streamline incident investigation and remediation so that the more highly skilled (i.e. expensive) resources can be utilized for breach investigations and hunt teams.
Augment your staff by utilizing hybrid staffing models
Enterprises are increasingly going to have to look to hybrid staffing and security infrastructure models to supplement existing staff. These new models will still have to rely on in-house expertise for incident response, but can shift to outsourced personnel or services organizations certain tasks such as first-line analysis and various security operations functions.
In-house expertise is going to have to be positioned where it matters most. Other functions — such as web application security testing — can be outsourced and easily assigned to a services organization.
Invest in your experts
Does your organization have defined roles and dedicated career paths for information security professionals? Are you paying your top employees competitively? Are employees with an interest in cybersecurity given an avenue for growth in that area? If you’re not doing these things, you should.
The shortage of qualified cybersecurity applicants is only going to cause salaries to rise.
Too many organizations focus on technology solutions and tools without matching that effort with their people. Organizations should instead realize the benefits that come from retaining their current security experts and supporting the development of new internal ones. Companies that can develop in-house security talent are going to be in significantly better shape than those that have to compete with other organizations for top talent on the open market.
Development programs that encourage internal staff to learn security skills should be strongly considered. Organizations with these development programs also benefit by ensuring that the skills taught are the exact skills required for their operations. Analysts can often be developed from individuals who show passion and aptitude for security and come from IT administration or system support.
It’s not only emerging talent that should be supported. Sometimes it’s simply more beneficial to invest in retaining your current experts than paying more for someone not yet familiar with your systems and operations to come on board. Cybersecurity professionals on average do better than their counterparts in software. The shortage of qualified cybersecurity applicants is only going to cause salaries to rise. Replacing resources with the proper skills can take months, and is often simply not possible.