Infosec is a technical discipline, but it also requires good, skilled cybersecurity professionals. We take a look at the bigger picture.
We all know about the various cyber threats that organizations face today; the highly-sophisticated cybercriminal groups in operation; the new and old variants of malware that are deployed; the well-worn mistakes of the past that we continue to make (like opening phishing emails and inserting infected USB sticks into our computers).
Some of the solutions to these challenges are relatively straightforward. Cybercriminals and malware can be mitigated, sandboxed and investigated, while employee mistakes can be ironed out through well-implemented – and regularly practised – cybersecurity awareness programs.
While these measures, along with other protection like security software, will significantly reduce the cyber risks enterprises face, the threat can never be fully eradicated for all the reasons cited above.
However, more can be done to bolster your defences, namely having good, skilled cybersecurity professionals on your information security team. This single issue will often determine the difference between companies that react well to a security incident and those that don’t.
Some enterprises are finally coming around to fixing this problem. A recently released report from Robert Halfrevealed that organizations today must invest in the “right talent” to protect themselves from the threats. It said that this investment can transform the way that businesses think about and respond to cyber attacks and cyber risks.
Phil Sheridan, senior managing director at Robert Half, explained in the report: “In order to successfully confront a proliferating breed of cyberattackers, companies need skilled IT talent who understand the current and evolving cyber threat environment. With a robust strategy in place, companies will be prepared for the future of cybersecurity.”
So why aren’t organizations simply hiring themselves some information security pros? Surely that would solve the problem? Reduce the risks? If only it were that easy.
Unfortunately, there is a massive skills shortage. With the security world forever changing in the face of new technologies and an evolving threat landscape, the security profession simply cannot move fast enough to keep up. There are not enough (skilled) people to go around.
Companies are increasingly investing in various platforms and tools to protect their IT systems and networks, but the rising threat of data theft and fraud – as well as the Bring Your Own Device phenomenon and the rapid growth of the Internet of Things – mean an increased demand for security professionals.
“New technologies raise new security concerns,” highlighted Sheridan. “This trend has resulted in an IT security skills gap since the available expertise has not kept pace with the evolving IT threats.”
Moreover, the Robert Half report found that 77% of UK CIOs are of the opinion that they will face more security threats in the next five years owing to a shortage of IT security talent.
Another report, from Spiceworks, once again highlights the shortage, revealing that only 29% of IT professionals at organizations in the US and UK work alongside an in-house cybersecurity professional in their IT department.
Interesting, a report from security training body ISC2 revealed that almost half (45%) of security professionals blamed breaches on a lack of qualified personnel.
Infosec competing against Facebook
There are a number of reasons for this skills shortage, and chief among them is that information security is fighting a losing battle in a world where people dream of making it big in Silicon Valley.
After all, many security professionals acknowledge that most computer science graduates would prefer to build the next Twitter, Facebook or Instagram than become a security engineer or architect. There is also the perception, not diminished by TV’s Mr Robot, that to be in security you have to be technical. This is not always the case. Indeed, some of the emerging CISOs come from other sectors.
There’s also the suggestion that infosec just doesn’t register when people think of careers; The recent Securing Our Future: Closing the Cyber Talent Gap report revealed that 62% of millennials had never been told by a teacher or guidance counsellor that a career in cybersecurity was an option.
Recent figures back up that not only is the skills gap there, but it is widening all the time. ISC2 estimates there will be a shortage of two million professionals by 2017, while a 2015 investigation from SC Magazine revealed that interest – and admittance – to security-related degrees is on the wane. Unfortunately, the shortage shows no signs of abating anytime soon.
All’s not lost
There is, fortunately, light at the end of the tunnel. Smart companies are increasingly partnering with universities to pick the cream of the crop, while governments are starting to accredit their own university courses. There is also a never-ending supply of tournaments and hackathons (like Cyber Bootcamp) to identify – and hire – the right person for your company.
You need a strong security team to manage your security, improve your risk management and keep the cybercriminals out. As part of this, you should not only have the right technology tools but also implement good cybersecurity program and work with pen testers to regularly check and improve your environment.