According to ESG Research, 55% of enterprise organizations (i.e., those with more than 1,000 employees) plan to hire additional information security professionals in 2012 but they are extremely hard to find. In fact, 83% of enterprises claim that it is “extremely difficult” or “somewhat difficult” to recruit and/or hire security professionals in the current market.
When you can’t hire full-time employees in an area as critical as information security, you may be forced to seek out help from professional and managed security service providers as an option. This common situation is driving growth in security services over the past two years. In fact, 58% of security professionals say that their organization’s use of managed and/or professional services for information security has “increased substantially” or “increased somewhat” over the past 2 years.
Here is a list of the primary reasons cited for turning to security services:
- 39% say that “security service providers can perform certain security tasks better than we can.”
- 34% say that “new types of security threats persuaded my organization to seek outside expertise.”
- 29% say that they “don’t have a large enough security staff to handle all security responsibilities.”
- 28% say that they “don’t have specific security skills in-house so the organization decided to outsource some security tasks.”
- 27% say that “information security is not core to the business so my organization decided to seek outside expertise.”
The pattern here is pretty commonplace. Large organizations use security services for mundane tasks they have no interest in owning or highly-skilled activities where they need outside expertise.
The wildcard here is the skills shortage which is exacerbating demand on both ends of the spectrum. For example, if enterprises are looking to service providers for specialized security expertise (security architects, analysts, forensic experts, etc.), when will the demand and supply curves cross so that the skills shortage starts to really impact service providers and not just enterprise organizations? Based upon my research and lots of meetings, this is already happening. When security service providers can't hire fast enough to meet demand, we all may be in big trouble.