A recent survey by Tripwire has highlighted a growing concern amongst organizations about a shortage of staff with the relevant training and cyber security skills.
Tripwire, a leading provider of security and operations solutions, revealed that 91% of respondents to their survey believed the shortage so severe that they would need to outsource some security operations. This was due to their inability to fill jobs internally with the necessary cyber security skills.
Widespread adoption of Cloud computing, the Internet of Things (IoT) and DevOps are changing the nature and spectrum of security threats. These technologies, plus an evolution towards more sophisticated attacks (for example the rise of supply chain hacking) has resulted in a shortage of professionals and cyber security skills in specific areas.
This shortage of cyber security skills has led most organizations to believe that they will be unable to protect against security flaws and will therefore be vulnerable to attack.
The Tripwire survey: Key figures
Of the survey respondents, 79% said they had an increased demand for network monitoring and vulnerability management personnel, and some 88% needed more expertise with the Cloud in particular.
Set against this identified need to fill the jobs gap, 50% of respondents were concerned about losing skills, and 24% were concerned over their ability to address security issues and respond to cyber threats. They recognized that the cyber security skills gap would leave their organizations exposed.
Most organizations believe they are vulnerable
A separate piece of research by Thales earlier this year, highlights that one in four (26%) of respondents have experienced a data breach in 2016 and 30% believe their organization is “very vulnerable” or “extremely vulnerable” to cyber attacks. This is very much in line with the Tripwire report which showed that 52% were concerned about keeping up with vulnerabilities.
Tim Erlin, Vice President of Product Management and Strategy at Tripwire, agrees with the respondents’ concerns, “Considering the recent high-profile threats that have been attributed to unpatched systems, it’s no wonder respondents are concerned that a technical skills gap could leave their organizations exposed to new vulnerabilities.”
The recent Equifax and SEC breaches clearly demonstrates the need to keep vulnerabilities in check. Ferruh Mavituna CEO of Netsparker, says: “The Equifax hack is a perfect example that highlights how businesses can get bitten if web application security is not taken seriously. Researchers identified a cross-site scripting vulnerability on their website back in 2016, yet Equifax never responded to their reports and never fixed it.”
The increased demand for cyber security professionals with specific skills will only get worse as companies are faced with the need to secure their environment even as they continue to adopt new and innovative technologies.
Cloud, Internet of Things and DevOps driving demand
Aside from continual and ever present Distributed Denial of Service (DDoS) attacks, the last couple of years has seen a string of high profile hacks with companies such as Yahoo, Instagram and Equifax breached, resulting in the exposure of millions of users’ sensitive personal information. Ransomware has proliferated and supply chain attacks are the latest in an ever evolving assault on corporate IT environments.
In addition, the popularity and widespread adoption of Cloud applications and storage, the emergence of the Internet of Things (IoT) and the adoption of DevOps has shifted the specific cyber security skills required by companies.
Information and data security has become a huge challenge for businesses, with many slow to adopt the internal risk management culture and additional training necessary to combat threats. The job facing IT and security managers is to identify which cyber skills are needed and provide training or recruit for them. In general, it is known broadly where the risks are and therefore filling jobs and training staff should naturally follow. However, the Tripwire survey showed that 91% of respondents indicated that they expect to outsource security if unable to recruit the professionals themselves. And 97% believed technology vendors can help to address the shortfall in skills. So why the emphasis on outsourcing rather than hiring and training?
Outsourcing as a solution to cyber security skills shortage and turnover
The cybersecurity skills shortage creates problems not only filling roles but retaining the professionals in the job in question. As long as the shortage exists, simple supply and demand theory dictates that a better offer is always available. As a result, staff turnover is a real problem for many organizations.
The question of outsourcing was put to Tim Erlin, Vice President of Product Management & Strategy at Tripwire. Specifically, whether the intention of organizations to outsource indicated that the skills in short supply were deemed as “short term” needs.
He responded; “While simply finding the talent can be a challenge, one of the bigger issues organizations face is dealing with turnover. The skills aren’t short term needs, but keeping talented employees can be difficult. In addition to providing skilled resources, a service provider helps an organization insulate against turnover.”
Outsourcing is already a common way for a business to keep up in a fast changing security landscape. EY’s 2016 cybersecurity survey found that 41% of respondents already outsourced security monitoring and 52% their vulnerability assessments. The benefit to a business in handing over these core security tasks is that the education, training and development of the IT professional is contracted out alongside the work itself. In addition, the problem of staff turnover is also handed over, and there may be benefits from a wider range of experience and knowledge base at the contractor. In a fast-moving world, this is a big advantage.