IT Skills Gap Hurts Enterprise Security: Survey - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership // Security & Risk Strategy
Commentary
7/6/2016
09:06 AM
50%
50%

IT Skills Gap Hurts Enterprise Security: Survey

A survey of IT executives, managers, and practitioners finds the biggest challenges in infosec are around skills, not technology.

Security Threats Hiding In Plain Sight
Security Threats Hiding In Plain Sight
(Click image for larger view and slideshow.)

When the subject is security, the conversation tends to center on spending. But, according to the results of a new survey sponsored by cloud security vendor SkyHigh Networks and conducted by the Cloud Security Alliance, budget is only one of the issues concerning IT executives when it comes to protecting data and networks in the age of the cloud and mobility.

That's not to say budget isn't a factor. In fact, more than half of the survey's 228 respondents (53.7%) said they expect their organization's IT security budget to increase in the next 12 months. Survey respondents were professionals working in IT or IT security around the globe. Fewer than half of the survey respondents (43%) had the title of manager and above, while the rest of the respondents held various hands-on staff roles in IT or IT security.

But focusing on budget only tells part of the story. In a telephone interview with InformationWeek, Kamal Shah, senior vice president product and marketing at SkyHigh Networks, highlighted several additional points from the survey that could deeply affect IT security.

One item Shah focused on was the skills gap many IT departments face. Incident response management was cited by 80.4% of respondents as one of the most important IT skills in the next five years. Experience with large datasets was cited by 74.7% of respondents, and 66.4% said communication with non-IT departments is essential.

As Shah said, "You can't be operating in a silo. You have to be able to talk to users to help reduce the risk to the enterprise."

[Should some of the new enterprise security hires be women? Making that happen could be harder than you think. Read: Why Aren't There More Women in IT Security?]

Experience with large data sets is a desired employee trait not limited to the security group. Within security, though, it's tied to two other factors that directly affect security. "When you get an alert, what do you do with it? What we find is there is a little bit of alert fatigue going on," Shah said. The sheer volume of alerts in an enterprise system pairs with complaints echoed in the survey results.

Four in ten respondents (40.4%) said alerts don't carry information that can be acted upon. In addition, 31% of respondents said they have ignored alerts because of the number of false positives they see on an ongoing basis. Some 27% said they have experienced incidents requiring action for which they received no alerts from their security tools.

The majority of those responding to the survey, regardless of their position, felt that the security budget will increase during the next year.
(Image: SkyHigh Networks)

The majority of those responding to the survey, regardless of their position, felt that the security budget will increase during the next year.

(Image: SkyHigh Networks)

All of this indicates that a lack of information is not what respondents view as their primary security problem. Rather, it's lack of the knowledge and lack of ability to do anything with the information they're given.

In our interview, Shah said one of the things he took away from the survey is that a company can't simply spend its way out of an enterprise security deficit. "It's not just about buying new tools and new toys, but making sure that the employees are trained and have the skills to take advantage of those technologies in the most effective way," he said.

A wide range of skills are seen as important for infosec workers in the coming years.

(Image: SkyHigh Networks)

A wide range of skills are seen as important for infosec workers in the coming years.

(Image: SkyHigh Networks)

Executives and staff members responding to the survey differed regarding how to best address the employee skills deficit. "Employees feel that the best answer is training existing teams, while executives looked at hiring and training new people," Shah said.

More than a third of respondents in hands-on staff roles (38.1%) said better training for existing IT employees was the best way for a company to respond to the skills deficit. Conversely, 46% of senior executives and 36.7% of manager-level professionals said increasing the hiring and training of junior IT professionals was the best way to respond to the skills deficit.

Practically no one thinks that outsourcing security is the right answer. The only disagreements are about who, precisely, should get the new training.

(Image: SkyHigh Networks)

Practically no one thinks that outsourcing security is the right answer. The only disagreements are about who, precisely, should get the new training.

(Image: SkyHigh Networks)

The takeaway from all the surveyed job functions is that people skills are more important than technology innovation for improving enterprise technology. If only those skills could be purchased as easily as new technology, the impression is that CISOs, CIOs, managers, and technical workers would all sleep better at night.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
Enterprise Guide to Edge Computing
Cathleen Gagne, Managing Editor, InformationWeek,  10/15/2019
News
Rethinking IT: Tech Investments that Drive Business Growth
Jessica Davis, Senior Editor, Enterprise Apps,  10/3/2019
Slideshows
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll