I continue to research and write about the ongoing global cybersecurity skills shortage. For example, ESG research indicates that 45% of organizations report a problematic shortage of cybersecurity skills today, more than any other area within IT.
Want more? Here are a few tidbits from last year’s research project done in conjunction with the Information Systems Security Association (ISSA). In a survey of 437 cybersecurity professionals and ISSA members:
29% of cybersecurity professionals say that the global cybersecurity skills shortage has had a significant impact on their organization. Another 40% say that the global cybersecurity skills shortage has impacted their organization somewhat.
- When asked to identify the impact of the cybersecurity skills shortage:
- 54% say it increased the cybersecurity staff’s workload.
- 35% say that their organization had to hire and train junior staff rather than hire people with the appropriate level of experience necessary.
- 35% say that the cybersecurity skills shortage has created a situation whereby the infosec team hasn’t had time to learn or use its security technologies to their full potential.
While the cybersecurity skills shortage endures, the industry itself remains white hot. According to a recent Bloomberg business article, the cybersecurity industry is expected to grow about 7 percent a year through 2019 to reach $46 billion in valuation.
Coincidence? I think not. Cybersecurity is a people-intensive, highly skilled discipline so it’s safe to assume that the lack of qualified professionals as well as the overwhelming workload of employed cybersecurity folks is a root cause of the perpetual wave of security events and data breaches. Likewise, these security incidents are driving financial growth and opportunities in the cybersecurity industry.
While fat cats on Wall Street and Sand Hill Rd. are making good money on cybersecurity, however, it’s important to understand that the cybersecurity skills shortage giveth and taketh away. Just look above at the ESG/ISSA data – 35% of survey respondents said that their cybersecurity staff is so busy that it doesn’t have the time to use cybersecurity technologies to their full potential!
CISOs are living with the cybersecurity skills shortage and adjusting accordingly. In fact, smart CISOs take the skills shortage into account with every decision they make. What does this mean for investors, VC-backed startups, and security technology vendors?
- Ease-of-deployment, ease-of-use, and time-to-value have become cybersecurity table stakes. While cybersecurity technology will never be a “set it and forget it” domain, CISOs will only buy products that can be deployed, configured, and utilized quickly. VCs should walk away from anything that demands custom configurations, long assessment and deployment projects, or in-depth user training.
- Solutions should include services. For example, there are several great threat intelligence platforms (TIPs) available today but only elite organizations know how to build a world class threat intelligence program to benefit from these tools. Threat intelligence vendors (i.e., Anomali, Flashpoint, LookingGlass Cyber Solutions, RecordedFuture, ThreatConnect, ThreatQuotient, etc.) should work with service providers that offer training, project management, and deployment services for threat intelligence programs. Remember too that most organizations don’t have the experience or staff size to take this on themselves. This means that staff augmentation services, SaaS offerings, and MSSP services will dominate a skills-challenged market for threat intelligence analysis and many other areas of cybersecurity specialty.
- Baked-in automation, intelligence, and orchestration should do some heavy lifting. There are simply too many things to do (i.e., investigate alerts, scan for software vulnerabilities, remediate risks, etc.) for current cybersecurity teams to keep up. New technologies must pitch in with improved intelligence to help identify and contextualize real problems, reducing analysts’ time for investigations. And new tools MUST automate and orchestrate processes to address the number and complexity of today’s manual infosec tasks. Think of automobile manufacturing before and after Henry Ford – that type of quantum improvement is needed for cybersecurity today.
- Think architecture. Just as Marc Andreessen predicted, software is eating the world and cybersecurity is no exception. In fact, cybersec tools are moving into a software-defined paradigm that ESG calls a security operations and analytics platform architecture (SOAPA) where each tool adds its own unique value while becoming a part of a greater system. New technologies must be designed to stand on their own AND contribute to a greater whole.
The global cybersecurity skills shortage AND the increasingly dangerous threat landscape show no signs of abating. Therefore, the only way to move ahead is to create new technologies that can bridge both gaps. Those investors who understand the ramifications of the global cybersecurity skills shortage will prosper financially while creating companies and technology solutions that truly deliver value to the market.