ESG is about to publish its 2014 IT spending intentions research as it does each year. In reviewing this data, I found continuing bad news about the IT security skills shortage. ESG research found that:
Of those organizations planning on adding new IT staff positions in 2014, 42% say they will increase headcount in information security. This is the highest percentage of all IT skill sets (note: the #2 choice was IT architects at 35%).
Twenty-five percent of all organizations surveyed claim that they have "problematic shortage" of information security skills at their organizations. Once again, this was a higher percentage than any other individual IT category (note: the #2 choice was IT architects again at 24%).
ESG also looked at the "problematic shortage" of information security skills by industry. The highest percentages are in the following:
36% of government organizations say they have a "problematic shortage" of information security skills. Not a surprise as government agencies tend to pay less than the private sector. Still, this puts a lot of government, military, and intelligence data at risk.
29% of manufacturing organizations say they have a "problematic shortage" of information security skills. This worries me - a lot of process manufacturing IP is likely leaking via industrial espionage.
28% of financial services organizations say they have a "problematic shortage" of information security skills. This should scare everyone - think of the risks to our monetary system and economy. What's more, financial services organizations tend to offer the highest compensation packages. Yikes!
27% of retail/wholesale organizations say they have a "problematic shortage" of information security skills. I happen to know that Target is a very good IT shop. If Target was breached and retailers have a "problematic shortage" of IT security skills, it won't be long until we read about another big breach.
22% of health care organizations say they have a "problematic shortage" of information security skills. Seems low to me based on anecdotal evidence but there is still a lot of risk here as health care data is more valuable to cybercriminals than mere credit card numbers.
It is worth noting that there are a number of valiant efforts in play to bridge the cybersecurity skills gap. The National Initiative for Cybersecurity Education (NICE) headed up by NIST and some of the programs championed by Allan Paller of SANS come to mind. There are strong cybersecurity programs at a number of schools like the University of MD, UT Dallas, USC, Purdue, and Northeastern University. Kudos to IBM as it is pushing cybersecurity education in conjunction with a number of leading Universities around the world. Noble? Certainly, but a mere drop in the proverbial cybersecurity skills bucket.
The bad guys are well organized and highly skilled while we are undermanned and under-skilled. In my humble opinion, ALL cybersecurity innovation, strategies, and solutions must take this pressing shortage into account.
Note that I'll be discussing the cybersecurity skills shortage in more depth on Monday February 24.