I’ve written a lot about the security skills shortage but it is worth reviewing a bit of data here for context. According to ESG Research, 55% of enterprise organizations (i.e. those with more than 1,000 employees) plan to hire additional security professionals in 2012 but they are extremely hard to find. In fact, 83% of enterprises claim that it is “extremely difficult” or “somewhat difficult” to recruit and/or hire security professionals in the current market.
Given this data, it is fair to assume that many IT security organizations are short staffed and pushing the security team to its limits. As if this wasn’t bad enough, ESG data also points to 3 trends that exacerbate the security skills shortage, further impacting the effectiveness of the precious few security personnel in place:
1. Critical skills deficits. Along with the shortage of staff, many organizations report that their security staff lacks skills in critical areas such as network security, cloud computing/server virtualization security, mobile device security, and security analysis/forensics.
2. Security staff time management. Large organizations indicate that one of their biggest problems is that their security professionals spend an inordinate amount of their time putting out fires. This limits the time for other more proactive security activities.
3. Security tools complexity and lack of automation. Security vendors built tools rich in feature/functionality and designed for customization. Unfortunately, many large organizations don’t have the time or staff necessary to fine-tune them or develop expertise in their use.
Think about the cumulative effect here. Large organizations don’t have an adequate number of security professionals on the payroll. Those people they have lack the right skills in one or several critical areas. The under-manned security staff spends too much time reacting to problems and not enough time planning or learning. Finally, these security skeleton crews are asked to do their jobs using tools that are too complex and time-consuming for them.
If this isn’t scary, nothing is. I really, really don’t understand why this situation is not getting more attention in Washington, Silicon Valley or leading Computer Science-focused Universities.
Clearly there is an opportunity here for leading security service providers like BT, Dell, HP, IBM, Unisys, and Verizon. If you can’t hire employees, you have no choice but to outsource. This could also help federally-focused integrators like CSC, L3, Lockheed-Martin, McDonnell Douglas, Raytheon, and SAIC crack into the commercial sector in a big way.
Security technology vendors like Check Point, McAfee, Palo Alto Networks, Sourcefire, Symantec, and Trend Micro should also take note. The data indicates that security products that offer the most intelligence, automation, and ease-of-use will win – not those with tons of complex bells-and-whistles.
I hope security services and technology vendors internalize the implications of the security skills shortage, develop new products and services, and capitalize on this problem. If not, things are going to get a lot worse – for all of us.