IT Skills Gap Hurts Enterprise Security: Survey

A survey of IT executives, managers, and practitioners finds the biggest challenges in infosec are around skills, not technology.

Curtis Franklin Jr., Senior Editor at Dark Reading

July 6, 2016

4 Min Read
<p align="left">Practically no one thinks that outsourcing security is the right answer. The only disagreements are about who, precisely, should get the new training.</p>

Security Threats Hiding In Plain Sight

Security Threats Hiding In Plain Sight


Security Threats Hiding In Plain Sight (Click image for larger view and slideshow.)

When the subject is security, the conversation tends to center on spending. But, according to the results of a new survey sponsored by cloud security vendor SkyHigh Networks and conducted by the Cloud Security Alliance, budget is only one of the issues concerning IT executives when it comes to protecting data and networks in the age of the cloud and mobility.

That's not to say budget isn't a factor. In fact, more than half of the survey's 228 respondents (53.7%) said they expect their organization's IT security budget to increase in the next 12 months. Survey respondents were professionals working in IT or IT security around the globe. Fewer than half of the survey respondents (43%) had the title of manager and above, while the rest of the respondents held various hands-on staff roles in IT or IT security.

But focusing on budget only tells part of the story. In a telephone interview with InformationWeek, Kamal Shah, senior vice president product and marketing at SkyHigh Networks, highlighted several additional points from the survey that could deeply affect IT security.

One item Shah focused on was the skills gap many IT departments face. Incident response management was cited by 80.4% of respondents as one of the most important IT skills in the next five years. Experience with large datasets was cited by 74.7% of respondents, and 66.4% said communication with non-IT departments is essential.

As Shah said, "You can't be operating in a silo. You have to be able to talk to users to help reduce the risk to the enterprise."

[Should some of the new enterprise security hires be women? Making that happen could be harder than you think. Read: Why Aren't There More Women in IT Security?]

Experience with large data sets is a desired employee trait not limited to the security group. Within security, though, it's tied to two other factors that directly affect security. "When you get an alert, what do you do with it? What we find is there is a little bit of alert fatigue going on," Shah said. The sheer volume of alerts in an enterprise system pairs with complaints echoed in the survey results.

Four in ten respondents (40.4%) said alerts don't carry information that can be acted upon. In addition, 31% of respondents said they have ignored alerts because of the number of false positives they see on an ongoing basis. Some 27% said they have experienced incidents requiring action for which they received no alerts from their security tools.

All of this indicates that a lack of information is not what respondents view as their primary security problem. Rather, it's lack of the knowledge and lack of ability to do anything with the information they're given.

In our interview, Shah said one of the things he took away from the survey is that a company can't simply spend its way out of an enterprise security deficit. "It's not just about buying new tools and new toys, but making sure that the employees are trained and have the skills to take advantage of those technologies in the most effective way," he said.

CSA-IT-Skills.jpg

Executives and staff members responding to the survey differed regarding how to best address the employee skills deficit. "Employees feel that the best answer is training existing teams, while executives looked at hiring and training new people," Shah said.

More than a third of respondents in hands-on staff roles (38.1%) said better training for existing IT employees was the best way for a company to respond to the skills deficit. Conversely, 46% of senior executives and 36.7% of manager-level professionals said increasing the hiring and training of junior IT professionals was the best way to respond to the skills deficit.

CSA-Skills-Solution.jpg

The takeaway from all the surveyed job functions is that people skills are more important than technology innovation for improving enterprise technology. If only those skills could be purchased as easily as new technology, the impression is that CISOs, CIOs, managers, and technical workers would all sleep better at night.

About the Author

Curtis Franklin Jr.

Senior Editor at Dark Reading

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and other conferences.

Previously he was editor of Light Reading's Security Now and executive editor, technology, at InformationWeek where he was also executive producer of InformationWeek's online radio and podcast episodes.

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has contributed to a number of technology-industry publications including Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and ITWorld.com on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most popular book, The Absolute Beginner's Guide to Podcasting, with co-author George Colombo, was published by Que Books. His most recent book, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, with co-author Brian Chee, was released in April 2010. His next book, Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, is scheduled for release in the Fall of 2018.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in amateur radio (KG4GWA), scuba diving, stand-up paddleboarding, and is a certified Florida Master Naturalist.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights