I frequently peruse information security news, and recently came across this article. The article highlights Symantec CEO Enrique Salem's warning of a shortage of talented cybersecurity professionals in the United States. Furthermore, this shortage is especially pronounced where it may be needed most -- law enforcement, intelligence agencies, and the Department of Defense.
I've been writing and researching this topic for the last few years, and the Symantec CEO is absolutely right. Bravo, Enrique, and thanks for articulating this issue.
I don't know why the growing security skills shortage isn't getting more attention since it really impacts all of us. While the industry waxes poetically about cloud security and Bring Your Own Device (BYOD) we are neglecting a fundamental question: Who is going to perform security tasks in these areas if we don't have the right skills in-house and can't hire anyone who does?
Let me elaborate on the security skills shortage with some soon-to-be published ESG Research:
- 55% of enterprise organizations (i.e., those with more than 1,000 employees) plan to hire information security/cybersecurity professionals in 2012.
- 83% of enterprise organizations say it is "extremely difficult" or "somewhat difficult" to recruit/hire information security professionals.
- Specific areas where there is a "problematic shortage" of information security skills include cloud/server virtualization security (42% of organizations), endpoint/mobile device security (31% of organizations), network security (31% of organizations), data security (30% of organizations), and security analytics/forensics (30% of organizations).
A few take-aways:
- We have additional data suggesting that this skills shortage is creating a boom market in managed and professional security services.
- Skills shortages are especially prevalent in smaller companies, those in rural areas, and industries with lower IT salaries like government, education, and health care.
- Note that the skills shortage really impacts new technology initiatives like cloud and mobility.
- To overcome the skills shortage, new security technologies must include standard templates, reference architectures, and far more automation.
I've presented at a number of CISO events this spring and almost every security executive I meet violently agrees with the ESG data. Let's hope more industry leaders recognize this and follow Enrique Salem's lead. After all, it's hard to sell products if there is no one around to buy them. .