Traversing the crowded halls of Moscone Center in San Francisco this month, it was hard to imagine that a global shortage of data security professionals looms over the industry. With over 42,000 attendees at the annual RSA Conference, all jostling for a look at the latest wares on display from 700 exhibitors, could the business world really be suffering from a crippling scarcity of qualified cybersecurity personnel?
Yes, it could. Multiple new surveys released at the event bring the point home quite effectively.
According to a poll of 336 security professionals conducted by Dimensional Research on behalf of Tripwire:
- 80% of respondents believe it's getting more difficult to find skilled cybersecurity professionals
- 93% say the skills required to succeed as a security professional have recently changed, complicating the search for qualified personnel
- 94% say they have invested in, or are likely to invest in, managed services for security, effectively looking outside their own organizations to shore up their security capabilities
In another poll fielded by ISACA (Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only), the nonprofit organization for security and governance professionals said nearly 70% of those surveyed have cybersecurity teams that are already understaffed. Almost 60% reported having current unfilled cybersecurity positions.
In his blog announcing the survey results, ISACA’s board director, retired Brig. Gen. Gregory Touhill, wrote, “With cybersecurity professionals being such a high demand/low density asset, organizations ought to think out-of-the-box to ensure they have the right people, with the right skills, in the right place, at the right time. They need to look at other sources of talent.”
Seeking trusted partners to fill the security skills gap is becoming a key to mounting a vigorous defense against cyberattacks, said Lamar Bailey, senior director of security research at Tripwire.
"Because security teams are stretched thin, it’s going to be more important than ever to build strong partnerships,” he said. “Maintaining a strong foundation of security is non-negotiable, so it’s imperative that organizations partner across the info security community to continue meeting security goals effectively.” Among the approaches mandated by this talent crunch are increased reliance on automation of security tasks, and support from outsourced, managed services, he said.
Another major theme at this year’s event was the prospect of placing greater reliance on cloud-based capabilities, which have the potential of requiring fewer staff to deploy and maintain. However, not all of these so-called ”next-generation” security solutions are created equally. In addition, IT and security leaders evaluating cloud solutions would be well-advised to seek and develop staff that are suited to adopting these next-gen tools, said Vince Campitelli, enterprise security specialist at the Cloud Security Alliance and former VP of IT risk management at McKesson Corp.
“As firms adopt and implement multi-cloud and hybrid cloud strategies, the risk of effective security will be transferred in part to those cloud providers, Campitelli said. “This transformation, in my opinion, will require new skill sets and competencies in the security function. So the resource gap should be filled by personnel with these new skill sets. An obviously important trait will be the ability to understand the changes and communicate them to the C-suite.” He added that the injection of cloud capabilities should fuel needed diversity in the security field, as it will require more skilled workers with enhanced cultural, process and relationship-oriented competencies.
“To use the Wayne Gretzky analogy of skating to where the puck will be, we should aim for personnel with the skills to be successful in the transformed world they will be expected to operate -- not the old one they are leaving behind,” he said.
As the burgeoning numbers of attendees and exhibitors at RSA 2019 amply demonstrated, “There are plenty of companies and individuals out there claiming to be security experts,” noted Luis Cupajita, SVP and CIO at King's Hawaiian in Torrance, Calif. However, IT leaders need to be extremely choosey as they evaluate individuals and organizations seeking to fill gaps in their security infrastructure. “Few are truly competent in addressing the broad set of interlocking components that make for a solid cybersecurity solution,” Cupajita warned. “There are many siloed solution vendors and technical resources, but few solid cybersecurity architects to pull all of the pieces together in a comprehensive and efficient manner.”
Under Cupajita’s leadership, King’s Hawaiian has placed a major emphasis on creating and executing a security roadmap that includes upgrading skill sets within the existing team, as well as establishing robust processes and procedures, and introducing new software/hardware components. “It was the traditional people, process and technology approach.”
However, Cupajita’s plan was predicated on seeking “a balance of strong external partnerships for certain services, and strong internal overall capabilities so that we would not just be beholden to vendor/partners, but have an ability to independently chart our own course and support ourselves effectively,” he said.
“At the end of the day its ‘buyer beware.’ As such, you're better off developing some internal expertise so that as you begin the task of selecting products and partners, you can end up with an effective and sustainable solution for your company.”
For more on cybersecurity and the IT skills gap, check out these recent articles:
Also, look through the session lineup for the Security Track at Interop, running May 20-23 in Las Vegas.