When it comes to security, companies are trying to do the best they can with what they have and are often simply hoping they aren’t targeted in a cyber-attack.
These are trying times for corporate information security programs. As if dealing with increasingly sophisticated attacks that can come from virtually anywhere wasn't enough for IT and security executives, they also have to grapple with a shortage of people who have the cyber-security skills organizations need.
Organizations need to find effective ways to continue protecting data and systems despite the struggle for talent, or they will risk joining the ranks of companies victimized by data breaches.
A recent report by the International Information System Security Certification Consortium Inc. (ISC)2, a global provider of education and certification services for information security professionals, shows how serious the talent shortfall has become.
Nearly two-thirds of the 14,000 worldwide organizations surveyed online for the report (62%) in 2014 said their organizations have too few information security professionals. That compares with 56% in the 2013 survey. The study, (ISC)2's seventh Global Information Security Workforce Study, revealed the reasons for the hiring shortfall are less about money, with more organizations making budgets available to hire more personnel.
An even bigger contributor to the shortfall is the insufficient pool of suitable candidates. The report predicts that the global security hiring shortfall will reach 1.5 million in five years. The shortfall is the difference between a projection of the workforce needed to fully address escalating security staffing needs (calculated by research firm Frost & Sullivan) and (ISC)2's workforce projection.
While the unending advancement in the variety and sophistication of cyber-threats and growing risk areas such as mobile, cloud-based services and the Internet of things are contributing to rising workforce demand and a workforce with a broader range of qualifications, the report noted, other contributors are "self-inflicted" due to decisions organizations make about security priorities.
"It's unlikely we'll find solutions to get around the workforce shortage for the long-term," said David Shearer, executive director at (ISC)2. "In the near term, organizations are attempting to use technology as a workforce multiplier. But there's only so much efficiency and effectiveness you can achieve."
Companies are investing more in tools and technologies, Shearer said. "However, threats are evolving faster than vendors can advance their products," according to the firm's research, he said.
"In some cases, it's more of a situation where organizations are trying to do the best they can with what they have and hoping for the best," Shearer said. "Until we find viable solutions to the workforce shortage, many organizations will be 'hoping' they're doing enough" to protect their resources.
Signs of strain within security programs due to the workforce shortage are showing up, the report states. For example, survey respondents cited configuration mistakes and oversights as a material concern, and remediation time following system or data compromises is steadily getting longer.
Demand for security talent continues to far outpace the supply, added Mark Orlando, director of cyber operations at Foreground Security, a security consulting, training and services firm.
"We see many people jumping into the cyber-security field without having the requisite baseline knowledge to truly understand what is normal activity versus what is malicious or suspicious, or what is a secure configuration versus unsecure," Orlando said.
As businesses continue to educate themselves about IT security, they must also learn how to measure and evaluate what they're getting in terms of security support and risk management, Orlando said. "In the absence of security 'rock stars' to perform defensive super heroics, documented, repeatable processes underpinned by solid security policy is vital to protecting critical data and responding effectively when a problem or a breach has occurred," he said.
Companies are attempting to make do despite the security talent constraints.
Hargrove, an organizer of trade shows and other events, is facing challenges both in finding security talent and dealing with budget constraints related to hiring security staff. The company is looking to outsource most of the security analysis, evaluation and technology implementation, said Barr Snyderwine, CIO.
"We will have a response team, but will also rely on outsourcing the level two response and analysis," Snyderwine said. "Even at that, it is hard to find companies with the skills and time to assist. The next step will be to propose additional budget for next year for additional consulting time to improve our security."
In the meantime, Hargrove is relying on standard security tools and measures, such as antivirus software, patching, updates and limiting access to its network. "In addition, we do least permissions," Snyderwine said. "We take away as much admin rights as we can without hurting the ability to work. This has improved our security by decreasing incidents across all platforms."
The company is moving business applications to the cloud with service providers that have high levels of security and encryption, Snyderwine said.
Another part of the strategy is providing regular training for employees in the security of company data as well as personal information. "Users listen better when it is their data on the line too," Snyderwine said. The training includes the launching of fake phishing attacks, which he says are very effective.
"We also are moving as much sensitive data off the network as we can," Snyderwine said. "We recently tokenized one set of sensitive data so we do not store it on our network."
Experts say one of the keys to increasing the security talent pool is getting Millennials and other younger workers interested in pursuing careers in the field.
"We really need to refine our messaging to younger generations to attract them into this stable, high-paying and in-demand career field," Shearer said. "The profession must invest in the future, create more awareness around information security as a viable career option and offer entry-level pathways."
To attract Millennials, "we can stress the importance of understanding what we're protecting at a practical level, including business processes," Orlando said. "We should engender a curiosity and a passion for security that extends beyond coursework and certifications. We must cast this industry as what it is: a challenging, dynamic set of problems that can only be solved by creative and analytical minds."