I’ve been writing about the pervasive IT security skills shortage for the last few years and will continue to do so in 2013. I don’t know why this critical issue doesn’t receive more attention—you can mass produce antivirus software but until we can clone CISSPs, the security skills shortage will have an increasing impact on the state of cybersecurity.
Here is an example of the scope of the security skills shortage. ESG research asked 257 security professionals working at enterprise organizations (i.e., more than 1,000 employees) to identify their biggest incident detection challenges. Here are a few of the results:
- 39% said that their biggest incident detection challenge was a lack of adequate staffing in the security operations/incident detection/response teams
- 28% said that their biggest incident detection challenge was that sophisticated security events have become too hard for us to detect (i.e., lack of the right skills)
- 28% said that their biggest incident detection challenge was that their organizations lack the right level of security analysis skills needed.
So many enterprises don’t have enough security professionals, or their existing security staff lacks the necessary level of security skills, or both. Any one of these issues will undoubtedly increase the time it takes to detect and respond to security events. Yikes!
Since this problem is bound to get worse, CISOs need appropriate compensating controls and strategies. Incident detection must be anchored by massive data collection along with greater security technology intelligence, automation, and integration. These capabilities must replace today’s dependence on manual processes and security analyst brain power alone.
Given the increasingly dangerous threat landscape, highly effective incident detection and response processes, technologies, and skills are mission-critical. This is why the security skills shortage and its ramifications increase security risk for all of us.