One of the cyber challenges that has long faced organizations is the IT skills gap, and as cybercriminals have widened their focus and moved down the food chain to target more small and medium-sized businesses, that problem has become more pronounced. This is particularly true for what Confer founder and VP of products Paul Morville describes as the “IT middle class.”
“You’ve seen this massive acceleration in terms of people who need to worry about security, people who have to acquire talent in that area,” said Morville, who was a guest on this week’s Cyber Chat podcast. “It’s only getting harder.”
That “democratization” of who is being targeted is the biggest driver behind the often-reported skills gap, Morville said. More businesses than ever are in need of security professionals, and there’s just not enough talent to go around.
The Growing IT Middle Class
The numbers back up those assertions. According to a 2015 analysis of Bureau of Labor Statistics numbers, the demand for IT security professionals is expected grow by 53 percent through 2018, and a 2016 ISACA report found that 62 percent of those surveyed stated their organizations have too few information security professionals.
In addition, the ISACA report noted:
- Finding talent can take a long time: More than half of organizations require at least three months to fill open cybersecurity positions, and nine percent could not fill the positions at all.
- Most applicants do not have adequate skills: Fifty-nine percent of respondents said that less than half of cybersecurity candidates were considered “qualified upon hire,” up from 50 percent a year prior.
- Security confidence is down: Only 75 percent of respondents reported that they were comfortable with their security teams’ ability to detect and respond to incidents, down from 87 percent a year prior.
In many ways the problem of the cybersecurity skills gap is defined by this growing IT middle class, as Morville noted:
Currently, the largest organizations — such as mega-banks and the military — have the resources to excel at IT security. … Just one tier down from this elite group, it’s a different story. … Under these circumstances, security teams are forced to rely on security tools that are outdated, siloed and inefficient. These tools allow too many attacks to get through, are often disruptive to users, and offer no post-incident value.
Organizations at the top of their industries devote a lot of resources and manpower towards security, but that drops off “really fast” when you start moving down market, Morville said.
Addressing the Gap
Finding the right candidate can be challenging because — as others have said — security professionals often have to be a chameleon and wear many different hats.
“When you look at a security person, they’re part engineer, they’re part researcher, they’re part operational in nature, they’re partly a police officer,” Morville said. “You can’t go to a university right now and study that. There’s very few programs that are specialized in this area.”
He added, “I think the more we can do in terms of feeding more people with this skill set into the funnel, the better off we’ll be.”
But finding people to stop the bad guys is only half the equation, Morville said. The other half is doing so in a way that frees up resources. That’s where security tools need to improve to make sure they’re helping organizations become more efficient.
“I put a lot of burden back on the security vendor community in terms trying to create products that, as I said, become more of a force multiplier.”
As SurfWatch Labs chief security strategist Adam Meyer wrote, there is a huge difference between being actionable and being practical, and tools and intelligence need to be more practical. This means security tools should help free employees from low-level tasks so that the employees organizations do have can better utilize their time, Morville said.
“Everybody is just always looking for new security people — people to add to the team. It’s hard to find people, and it’s hard to train people, and it’s hard to retain people.”
For more, listen to the full conversation with Confer’s Paul Morville about the skills gap, how it’s affecting the IT middle class, and what security vendors, businesses and others can do to help address the problem.