Businesses large and small are facing an increasingly diverse and sophisticated array of cybersecurity threats, but are having trouble hiring enough highly-skilled employees to help them combat those risks, according to a survey from Intel Security.
Small businesses, in particular, will face increased competition for cybersecurity talent, as larger enterprises with more resources recruit and attract workers, according to Candace Worley, vice president of enterprise solutions marketing at Intel Security.
The survey found that 55 percent of the respondents believe that technology solutions will meet the majority of their organization’s needs within the next five years. Additionally, the survey respondents say in-house talent shortages will be remedied by outsourcing cybersecurity duties to vendor partners and outside firms. The solutions most likely to be outsourced, the survey found, are ones that lend themselves to automation, and include threat detection, network monitoring and access management.
Intel Security commissioned independent technology market research firm Vanson Bourne to undertake the survey. IT decision-makers who are involved in cybersecurity within their organization were interviewed in May 2016 across the U.S. (200), United Kingdom (100), France (100), Germany (100), Australia (75), Japan (75), Mexico (75) and Israel (50).
The respondents were from organizations with at least 500 employees, and came from within both public and private sectors. Interviews were conducted online using a rigorous multilevel screening process to ensure that only suitable candidates had the opportunity to participate, according to Intel Security.
In an interview with BizTech, Worley says that Intel Security wanted to find out if the buzz about a cybersecurity talent shortage was an urban myth. The survey found that there is “absolutely a shortage,” with 82 percent of respondents agreeing that there is a large shortage in their own organization as well as their country as a whole.
Not every cybersecurity skill is in high demand, Worley says, but the survey found that highly valued skills are in critically short supply, with the scarcest being intrusion detection, secure software development and attack mitigation.
According to the survey, these skills are in greater demand than soft skills in communication and collaboration, and a majority of respondents (53 percent) said that the cybersecurity skills shortage is worse than talent deficits in other IT professions.
Why such a talent shortage? Respondents in the survey want the best of both worlds: about half want job candidates with a bachelor’s degree in a relevant technical subject (a minimum credential), yet they also want candidates to have experience and skills acquired from hacking competitions, as well as professional certifications. According to the survey, 68 percent say hacking competitions (such as capture the flag exercises) play a role in developing critical cybersecurity skills within their organization. “They are kind of in a sticky position right now of needing both and finding it difficult to find both,” she says.
Worley says it will take several years to fill the pipeline with qualified candidates and that governments and the educational system need to churn out more candidates with technical degrees. More than that though, Worley says, such young workers also need to understand how hackers work. They need to be able to go down the rabbit hole after an attack “to determine, where did it get in, how did it get in, how did it move through the organization, what did it do on its way, where did it end up?” She says that it takes “extreme problem-solving skills,” and that “those are often harder to teach as part of a formal educational program.”
What are the implications of the talent gap? This shortage in cybersecurity skills does direct and measurable damage, according to 71 percent of respondents. One in three say a shortage of skills makes their organizations more desirable hacking targets, and 25 percent say insufficient cybersecurity staff strength has damaged their organization’s reputation and led directly to the loss of proprietary data through cyberattacks. Without enough qualified IT security personnel, businesses will face the reality that “some things aren’t going to get done as fast as they should get done, and that leaves a window of opportunity for people to take advantage and do nefarious things to your organization.” Small businesses may have intellectual property or databases of customer information (like credit card numbers) that could be attractive to hackers and cybercriminals, Worley notes. Without enough IT security staff, small businesses’ antivirus databases might not be updated quickly enough.
“People will take advantage within 24 hours,” she says. “You’ve got to respond with a level of rapidity and urgency that allows you to your to plug the hole before the hacker can find it. If you’re down head count, that becomes extremely difficult.”
Typically, small businesses have small IT staffs and cannot afford to have one staff member dedicated solely to cybersecurity, Worley says. That’s why many small companies outsource their cybersecurity to firms that are Intel Security channel partners or systems integrators (though those integrators usually lean toward working with larger enterprises).
“They will manage the security for a small company,” Worley says. “Everything stays up to date. It’s all in one place.” Such firms monitor events, generate reports, manage a company’s cloud back end, and automate and simplify security checks, Worley adds.
As demand for cybersecurity talent increases, and larger firms use outsourcing more, Worley says that small businesses are likely to face higher prices for such work.
“SMBs today are working with them much more than enterprise,” she says. “As soon as demand goes up and begins to outpace capacity, then price points tend to go up to compensate for that.”
Meanwhile, almost nine out of 10 survey respondents say that cybersecurity technology could help compensate for skill shortages. Vendors are increasingly moving security functions into centralized consoles, Worley says, especially to manage how data flows inside an organization and to prevent data from being stolen or siphoned out.
Many companies are becoming more tolerant of automating rote security functions like updating antivirus databases, which will let companies take their current cybersecurity talent and move them to tasks that require deeper analysis, Worley says.