Demand for information security professionals has already started exceeding supply. It’s a trend that, if allowed to continue, could seriously affect the rate of technological advancement. There is a 1.5 million shortage expected within five years, according to Frost and Sullivan’s latest Global Information Security Workforce Study, although the effects of security skills scarcity can already be seen. Response time to incidents appears to be increasing, which points to a mounting pressure among security professionals. Only 20% feel confident that response to a system or data compromise can be carried out within one day, which is down from 33% in 2013.
Galix Networking's MD and QSA, Simeon Tassev, says the reason for this shortage has to do with the length of time it takes to qualify as a security professional.
"All international security certifications, even the generic ones (such as CISSP) require a minimum of four years of practical working experience - and this extends to related certifications, like compliance, as well. The issue is that technological progress doesn't wait. Threats are now evolving too quickly for qualifying security professionals to keep up. And this is becoming a real problem because it's simply not possible to fast-track this process as extensive knowledge and lengthy experience are essential in this field."
Marthinus Engelbrech, CEO of NEWORDER INDUSTRIES, says he can see how each day more and more companies are compromised due to a lack of specialist information security consultants. "With no security professionals to call on, companies are looking to their internal ICT departments to address security issues, and that only exacerbates the problem. With cybercriminals becoming increasingly sophisticated, companies simply cannot expect their internal ICT guys to safeguard them against threats."
Saicom Voice Services CTO, Greg de Chasteauneuf, adds that these mounting security problems are not just affecting companies, but the country as a whole. "Cybercrime in SA, for the most part, goes unreported since the country’s authorities lack the resources and know-how to trace these breaches. This means the private and personal information of SA citizens is constantly at risk."
What to do?
Although such a dramatic shortage in security skills can definitely be classified as a crisis, there do seem to be ways to lessen the severity of the impact.
"For starters, companies can focus on user education," says Engelbrecht. "People still account for the largest risk potential within a corporate environment, and this applies to system administrators as much as any other employee. The introduction of the Internet of Things (IoT) into the corporate arena is allowing for even more potential security risks than we already face. Companies need to treat information security awareness as a priority, especially since the skills shortage problem is not bound to go away any time soon."
He further warns against the reliance on automated security toolsets as a means of data protection. "Automated security solutions see only the tip of the iceberg, and can only ever provide value if used in conjunction with a qualified and experienced information security professional."
Tassev concurs: "Automated security solutions are not necessarily effective enough. While there are various tools and automated security solutions that will assist in the enhancement of an organisation's overall security, they are just tools, dependent on someone to make use of them. And not just anyone, mind you, but someone who has the necessary skills and knowledge to interpret what the tools are delivering."
A recent Tripwire found that 66% of respondents faced increased security risks due to this workforce shortage, and 69% have attempted to use technology solutions to fill the gap.
Tassev believes the most common way of dealing with a security skills shortage is through outsourcing. "This approach could be successful since the right combination of tools and the amount of time required from a specialist to be physically involved is minimised. Instead of a security specialist sifting through logs, the specialist can now turn to a summary report of all actions, or drill down and report on whatever is deemed necessary. This makes it possible for the specialist to provide the same functionality to a number of companies, and not just one."
According to De Chasteauneuf, much of the security skills shortage tragedy can be largely avoided if the industry establishes several Security Operations Centres (SOC) focused on proactive monitoring and risk mitigation. "The SOC is nothing new, but in the context of a global security skills shortfall, will become as ubiquitous a function as an IT helpdesk. The reality is that very few organisations will have the commercial means to deploy and maintain such a task team, and will look to outsource their security instead."
Ultimately, it comes down to investment, says Fortinet SA's major account manager for public sector, Ron Harris. "Skills development may be a longer-term endeavour, but it is crucial that we seriously start investing in it. Although several IT stakeholders and local organisations are already investing in IT security skills development, it’s clearly not enough. Both public and private sectors should be doing more to boost cybersecurity training and enable certification programmes that deliver both theoretical and practical training. A global security skills shortage is a very stark indication that we are failing and we need to work together to fix it," he concludes.
More criminals than cops?
A recent Kaspersky Lab study revealed how highly skilled and highly impressionable under-25s are increasingly drawn towards cybercrime.
Some of the report's findings:
35% of all respondents feel uncomfortable about people who have the skills to hack
A third of under 25s (31%) are able to hide their IP addressOne in four (27%) have considered a career in cybersecurity
47% regard it as a good use of their talent
Only half (50%) of under-25s would actually join the fight against cybercrime
17% would use their skills for fun, 16% for secretive activities, and 11% for financial gain
To solve the problem, Kaspersky Lab believes more should be done at an employer-level to encourage young people to enter cybersecurity careers as well. Even among IT security professionals, 27% admit organisations themselves must do more to offer training and graduate schemes.
“There is a skills gap that needs to be addressed by both industry and education if we are to enthuse young people about entering the cybersecurity workplace. This generation is closer to technology than any before, and will run rings around the industry soon enough, escalating the threat of cybercrime if they are not brought onside and given opportunities to blossom. Their talent should be harnessed and nurtured for society’s good,” concludes Eugene Kaspersky.