Like all other industry analysts, I offered my prognostications for 2015 in my blog way back in 2014. Prediction #1 on my list: widespread impact from the cybersecurity skills shortage.
I’ve been screaming about the cybersecurity skills shortage for a number of years as I believe it may be one of the most important issue that receives an inadequate amount of media and industry attention. Now, I may be a tad on the emotional side about the cybersecurity skills shortage, but I try to base my rants and obsessions on cold hard facts rather my opinion whenever I can.
To that end, ESG is about to publish the results of its annual IT Spending Intentions research (note: I am an ESG employee). Once again, the cybersecurity skills shortage is front and center in the research data.
As part of its global research project, ESG asked 591 IT and infosec professionals if their organizations planned to add headcount in 2015. It turns out that half of all responding organizations plan to add a significant or small number of new IT staff positions in 2015. Respondents working at organizations adding new IT staff positions in 2015 were then asked to identify which area(s) they would add headcount. The top three areas identified were:
- 43% said that their organization planned to add new IT staff positions in information security
- 34% said that their organization planned to add new IT staff positions in IT architecture/planning
- 34% said that their organization planned to add new IT staff positions in server virtualization/private cloud infrastructure
Think of this data as the demand side of the equation and obviously infosec skills are in high demand. So what about supply? As part of its annual survey, ESG asks the following question: In which of the following areas do you believe your IT organization currently has a problematic shortage of existing skills? The top three responses to this question were:
- 28% said that their organization had a problematic shortage of information security skills
- 23% said that their organization had a problematic shortage of IT architecture/planning skills
- 22% said that their organization had a problematic shortage of mobile device management skills
This data indicates that information security skills must be in short supply since so many organizations report a problematic shortage. If that weren’t enough proof of a profound problem, here’s the kicker and a primary reason why I continue to scream about the cybersecurity skills shortage: information security has been the top “problematic shortage of existing IT skills” category for 4 years in a row!
There are a number of other data points for the ESG IT Spending Intentions research over the next few weeks, but in aggregate, the research seems to indicate that the cybersecurity skills shortage is only getting worse.
Any economics book will tell you that high demand and short supply can lead to market turmoil. In this case, I anticipate hyper salary inflation, acute cybersecurity skills shortages at mid-market, public sector, and rural organizations, and a massive shift to MSSPs by organizations who simply can’t hire skilled infosec professionals. Based upon this situation, I recommend that CISOs consider the ramifications of the cybersecurity skills shortage in every policy, process, and technology decision they make in 2015.