Cisco Subnet An independent Cisco community View more

Cybersecurity Skills Haves and Have Nots

Only a small fraction of enterprise organizations have adequate security skills and an appropriately sized security organizations

I've written a lot lately about the cybersecurity skills shortage.  For example, 25% of organizations claim that they have a problematic shortage of IT security skills.  On an industry basis, 36% of government agencies say they have a problematic shortage of IT security skills, followed by 29% of manufacturing companies, and 28% of financial services firms.

ESG often builds a segmentation model as part of its research projects to further analyze survey data.  The segmentation model divides the total survey population into 3 distinct groups:  Advanced organizations (i.e. those with the most cybersecurity resources and strong security policies and processes), progressing organizations (i.e. those with marginal cybersecurity resources and adequate security policies and processes), and basic organizations (i.e. those with fair/poor cybersecurity resources and inadequate security policies and processes).  Typically, advanced organizations make up around 20% of the survey population, progressing organizations represent around 60% of the survey population, and basic organizations account for the remaining 20%.

The ESG segmentation model paints a more granular and alarming picture of the cybersecurity skills shortage as follows:

1.  Survey respondents were asked if they had an adequate number of employees in their information security organizations.  Looking at the total survey population, only 17% of enterprise organizations say that the size of their information security organization is adequate in all cases.  When analyzed by the ESG segmentation model, the situation looks much different.  It turns out that 31% of advanced organizations say that the size of their information security organization is adequate in all cases, as compared to 17% of progressing organizations and only 1% of basic organizations. 

2.  Survey respondents were also asked if they had adequate cybersecurity skills in their information security organizations.  Once again, only 17% of enterprise organizations say that the size of their information security skills are adequate in all cases.  In terms of the segmentation model, 48% of advanced organizations believe that their information security skills are adequate in all cases, as compared to 10% of progressing organizations and 0% of basic organizations. 

Clearly, advanced organizations are in the best position, but even these leaders admit to instances when their security staff and skills prove to be inadequate in some cases.  Alternatively, progressing and basic organizations are clearly under-staffed and under-skilled. 

Like all other businesses, cybercrime is all about ROI.  As a hacker, I want to steal the biggest booty in the least amount of time.  Judging by the ESG Research, more than 80% of enterprise organizations currently lack the right skills and human resources to protect their IT assets.  Little wonder why cybercrime is so rampant. 

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.