IT Skills Gap Hurts Enterprise Security: Survey

Security Threats Hiding In Plain Sight

When the subject is security, the conversation tends to center on spending. But, according to the results of a new survey sponsored by cloud security vendor SkyHigh Networks and conducted by the Cloud Security Alliance, budget is only one of the issues concerning IT executives when it comes to protecting data and networks in the age of the cloud and mobility.

That's not to say budget isn't a factor. In fact, more than half of the survey's 228 respondents (53.7%) said they expect their organization's IT security budget to increase in the next 12 months. Survey respondents were professionals working in IT or IT security around the globe. Fewer than half of the survey respondents (43%) had the title of manager and above, while the rest of the respondents held various hands-on staff roles in IT or IT security.

But focusing on budget only tells part of the story. In a telephone interview with InformationWeek, Kamal Shah, senior vice president product and marketing at SkyHigh Networks, highlighted several additional points from the survey that could deeply affect IT security.

One item Shah focused on was the skills gap many IT departments face. Incident response management was cited by 80.4% of respondents as one of the most important IT skills in the next five years. Experience with large datasets was cited by 74.7% of respondents, and 66.4% said communication with non-IT departments is essential.

As Shah said, "You can't be operating in a silo. You have to be able to talk to users to help reduce the risk to the enterprise."

[Should some of the new enterprise security hires be women? Making that happen could be harder than you think. Read: Why Aren't There More Women in IT Security?]

Experience with large data sets is a desired employee trait not limited to the security group. Within security, though, it's tied to two other factors that directly affect security. "When you get an alert, what do you do with it? What we find is there is a little bit of alert fatigue going on," Shah said. The sheer volume of alerts in an enterprise system pairs with complaints echoed in the survey results.

Four in ten respondents (40.4%) said alerts don't carry information that can be acted upon. In addition, 31% of respondents said they have ignored alerts because of the number of false positives they see on an ongoing basis. Some 27% said they have experienced incidents requiring action for which they received no alerts from their security tools.

All of this indicates that a lack of information is not what respondents view as their primary security problem. Rather, it's lack of the knowledge and lack of ability to do anything with the information they're given.

In our interview, Shah said one of the things he took away from the survey is that a company can't simply spend its way out of an enterprise security deficit. "It's not just about buying new tools and new toys, but making sure that the employees are trained and have the skills to take advantage of those technologies in the most effective way," he said.

A wide range of skills are seen as important for infosec workers in the coming years.

Executives and staff members responding to the survey differed regarding how to best address the employee skills deficit. "Employees feel that the best answer is training existing teams, while executives looked at hiring and training new people," Shah said.

More than a third of respondents in hands-on staff roles (38.1%) said better training for existing IT employees was the best way for a company to respond to the skills deficit. Conversely, 46% of senior executives and 36.7% of manager-level professionals said increasing the hiring and training of junior IT professionals was the best way to respond to the skills deficit.

Practically no one thinks that outsourcing security is the right answer. The only disagreements are about who, precisely, should get the new training.

The takeaway from all the surveyed job functions is that people skills are more important than technology innovation for improving enterprise technology. If only those skills could be purchased as easily as new technology, the impression is that CISOs, CIOs, managers, and technical workers would all sleep better at night.