ESG recently published a new research report on network security titled, Network Security Trends in the Era of Cloud and Mobile Computing (note: I am an ESG employee). Within this project, ESG asked 397 security professionals working at enterprise organizations (i.e. more than 1,000 employees) to rate their security teams in a number of network security areas. Once again the data points to a pretty substantial skills gap:
- 30% of organizations say that the network security skills of the infosec staff are inadequate in some, most, or all cases.
- 44% of organizations say that the number of networking/security staff with strong knowledge in both security and networking technology is inadequate in some, most, or all cases.
- 38% of organizations say that the ability of the security staff to keep up with network security changes is inadequate in some, most, or all cases.
- 37% of organizations say that the ability of the security staff to keep up with the threat landscape is inadequate in some, most, or all cases.
- 47% of organizations say that the number of employees dedicated to network security is inadequate in some, most, or all cases.
What’s most troubling about this data is that network security is nothing new. Large organizations have been segmenting networks, filtering packets, and managing firewalls, IDS/IPS, network proxies, and assorted gateways for years. In spite of this experience however, they remained under-skilled and understaffed and thus more vulnerable than they should be.
You don’t have to look very far to see market ramifications of the cybersecurity skills shortage. Network security vendors like Check Point, Cisco, Fortinet, McAfee, and Palo Alto are working on multi-function platforms, integrated architectures, and intuitive GUIs to make network security easier and more comprehensive. Meanwhile, security analytics firms like 21CT, Click Security, Lancope, LogRhythm, HP, IBM, ISC8, Narus, and RSA Security are throwing big data technology at the problem by capturing, processing, and analyzing more network data using a slew of algorithms.
While product vendors work on easy-to-use products, security service providers are the real winners here. Firms like Accuvant, AlertLogic, BT, Dell (SecureWorks), Fishnet, and Symantec are seeing record growth in professional services and SaaS security offerings.
Yes, smart product vendors and service providers stand to benefit from the continuous cybersecurity skills shortage but in the meantime, all of our data is at risk. October is Cybersecurity Awareness Month. Let’s hope that academic institutions, government agencies, and the security industry takes advantage of the spotlight by bringing attention to the cybersecurity skills shortage problem and working together to come up with some real solutions.