Threats are not going away. The increased global dependency on technology, combined with the evolving complexity of cybersecurity threats, continues to increase our vulnerability at a national, organisational and individual level.
Left unchecked, these incidents will rise and become more sophisticated and harder to detect. Securely managing networks against a backdrop of ever more complex and frequent threats is presenting CIOs with a major challenge. It’s no longer possible for many organisations to tackle the growing problem in-house and the reason is that there is a major IT skills shortage.
The people problem
There are many challenges facing CIOs and few are more demanding than the lack of people. Evidence shows there is an ongoing recruitment challenge in cybersecurity. Training and development challenges are often to blame. According to the ISACA 2014 APT Survey, 62% of organisations have not increased security training in 2014 though, in direct contrast, the cost of breaches is thought to have doubled last year in the UK alone.
Furthermore, according to NTT Group’s Global Threat Intelligence Report, 77% of organisations supported during incident response activities had no incident response plan in place. This suggests there are skills shortages in key areas of cyber security, and that more focus could be given to prioritise resources to optimise IT security and risk management.
Geographical location too plays its part in explaining the skills gap. In Europe, much of the skills shortage can be attributed to the move towards offshoring technology operations to India in the mid 90s. As a result, between 1998 and 2000 it’s estimated that 70% fewer graduates attended courses that were core to entering IT professions. The result is a skills gap that may take generations to fill – 20 years according to the UK’s National Audit Office.
This leaves us with a widening gap in the number of IT security experts needed to manage the growing number of threats. There are too many threats and not enough professionals.
The threat problem
Whatever the reason for the skills shortage, organisations are faced with a growing volume of cyberattacks. In 2013, there was a 62% increase in the number of security breaches according to the World Economic Forum, and 2.5 billion records had been exposed in the last five years as a result of a breach.
It’s therefore worrying to see the Cisco 2014 Annual Security Report estimate there are 1 million unfilled security jobs worldwide. This is unlikely to change in the near future, as there are simply not enough IT security professionals. Organisations therefore need to urgently review their resourcing options if training and development isn’t a viable option.
Some enterprises may choose to sit tight and do nothing about recruitment, but all the indicators are that the security skills gap will be with us for some time. The number of breaches and APT attacks will continue, networks are becoming increasingly complex and Big Data is a perpetual challenge, but are there really enough skilled resources available to analyse the mountains of data and turn it into actionable threat intelligence?
With fewer skilled professionals, some organisations will simply continue to struggle to do anything beyond keeping the lights on. The smarter businesses will take action to understand their risk exposure across the business and prioritise areas to focus on. This enables them to make more informed decisions around resource requirements to help mitigate risk.
But a lack of resource will often mean that there is nobody available internally to carry out the assessment in the first place. Risk and security management are important areas for any organisation and, as the threat landscape evolves, every enterprise needs to consider its current risk exposure in the context of its commercial objectives.
The march towards managed security services
More and more businesses are now outsourcing some or all of their security requirements to Managed Security Service Providers (MSSPs). In fact, the Aberdeen Group highlighted that most of the market growth in network security solutions will come from outsourced and managed models. In fact, the 2013 Aberdeen IQ Survey found that over half of the survey respondents had outsourced at least one of their IT security solutions (up from 36% in 2011).
Hiring help from a third party provider enables the enterprise to benefit from an independent assessment to help them understand their risk exposure, consider best practice, prioritise activities and articulate these at all levels of the business.
It also addresses the issue around IT skills shortages. MSSPs take away the problem of there not being enough resource – they know how and where to find the right experts a company’s industry, invest in training and improving professional qualifications and they make these experts available around the clock.
Any business thinking of working with an MSSP should take caution. Not all providers are the same. Find one that is prepared to work within the business model and strategic aims – not to their own agenda. It’s about getting access to their collective global knowledge and systems, and highly experienced people. This will give the active threat management required to help mitigate risk at a time when the IT skill gap will be hard to fill in the foreseeable future.
Stuart Reed at NTT Com Security