I had the opportunity to present some of my research on the IT security skills shortage at last week's RSA Conference. This is a serious issue that doesn't get nearly enough attention.
According to ESG Research, 25% of enterprise (i.e. more than 1,000 employees) and mid-market (i.e. 250 to 999 employees) organizations claim that they have a "problematic shortage" of IT security skills. Furthermore, of those organizations planning to add IT headcount in 2014, 42% say they will hire IT security professionals. This is also the highest percentage of all. In other words, more organizations plan to hire IT security professionals than any other role within IT.
Clearly, organizations are under-staffed when it comes to cybersecurity, but that's not their only problem. Many firms employ security professionals who lack the right skills to get the job done. When ESG asked enterprise security professionals to identify their biggest challenges around incident detection/response, 39% said that they lacked an adequate staff while 28% claimed that they lacked the adequate analytics skills. Alarmingly, many organizations are under-staffed AND under-skilled.
OK, so I've presented my research on the cybersecurity skills problem many times. So has ISC2, Raytheon, the UK National Audit Office and lots of others. So, given the skills shortage realities, what can CISOs and their organizations do about it? I actually focused on this point in my RSA session. Based upon my discussions with numerous CISOs, I recommend that enterprise organizations:
1. Carefully assess the existing IT security organization. As part of their risk management process, CISOs should make sure to include an analysis around the security staff skills, workloads, day-to-day activities, processes, etc. It's critical to look for skills gaps as well as process inefficiencies and deficiencies. For example, you may find that security professionals are doing manual audits of endpoint status or that security controls alterations take days to get through the security and IT operations workflow. You may also find that the security team has no time at all to learn the ins and outs of complex security technologies and can only babysit different security tools at best. This exercise is not only designed to identify skills gaps, but also find areas where human resources are used inefficiently. As a tip, it may be worthwhile to peruse the new NIST cybersecurity framework and use it as a guideline for this staff assessment.
2. Outsource or use services for something. When it comes to cybersecurity, organizations that are under-staffed and under-skilled need to offload work quickly. The obvious choices are email security and web security, but firms struggling in areas like continuous monitoring, incident detection, or security investigations should ask themselves an honest question: "Can a service provider do this better than we can?" If the answer is "yes," it's time for CISOs to swallow their pride and shift their focus from security processes and technologies to managing third-party providers. Note that there may be a middle ground where service providers like Dell, Symantec, Unisys, and Verizon are hired for staff augmentation and support. Regardless, it's important to either offload pedestrian tasks or hire service providers to help in areas where the security team struggles.
3. Consider the cybersecurity skills shortage in every decision. When organizations buy new security technologies, craft new policies, or begin new initiatives, CISOs should consider how these moves will be impacted by the cybersecurity skills shortage. For example, a new security analytics tool may not be useful if security analysts have no time for training or customization. Additionally, many firms remain behind in areas like server virtualization, cloud computing, and mobility because there simply aren't enough security resources to go around. Progressive organizations should make sure to consider the IT security skills shortage at a higher level - with new business processes, applications, device support, etc. Remember that ANY IT initiative that isn't supported by the right security resources can greatly increase risk across the whole business enchilada.
4. Turn your organization into a cybersecurity center of excellence. Assuming the right level of support from executive management, business leaders, and HR, CISOs should strive to make their organizations a superior work environment for cybersecurity professionals. This means offering the right training and continuing education benefits, creating clear job titles, defining responsibilities, building IT security career paths, and exposing the security staff to the community of vendors, researchers, and government agencies at large (note: It may be worthwhile to look at the National Initiative for Cybersecurity Education (NICE) framework to get some ideas here). Yes, salaries must be competitive, but many cybersecurity professionals are motivated by continuous education, technology expertise, and public service - not just money alone. Remember to market these efforts as well so the word gets out.
CISOs should also create internship and cooperative programs with leading University programs at schools like Carnegie-Mellon, Johns Hopkins, and U. of MD-Baltimore when possible.
One final note: Kudos to HP for announcing a grant of $250k for scholarships to women studying IT security. HP and IBM are two vendors addressing the cybersecurity skills shortage head on. It's time for others to follow their honorable lead.