The fight between hackers and organizations continues. Cyber threats are increasing in number and complexity, and it seems that hackers are coming out victorious.
Attacks have evolved from those that caused low level nuisance to more sophisticated attacks including disruption of networks, attacks on infrastructure, DDoS attacks and theft of personal data. It’s also now easy to buy an exploit kit on the web, making hacking accessible to almost anyone, plus there will be 25 billion IoT connected devices globally by 2020.
What’s worrying is that many businesses are ill-equipped to address these threats, leaving them vulnerable to hackers. According to NTT Com Security’s Risk: Value 2016 Report, while most business decision makers admit they’ll be breached at some point, just half agree information security is ‘good practice’. This raises the question as to why businesses are holding back from minimizing the effects of an impending breach.
Some experts argue there is a lack of internal resource to keep up with the growing threats, meaning it’s no longer possible for many organizations to tackle all aspects of information security management in-house. Organizations are, in the main, under-skilled and undermanned in security terms, and this is evidenced by a recent cybersecurity talent report, which estimates there are one million unfilled security jobs worldwide. This is unlikely to change in the near future and could actually get worse – with Frost & Sullivan predicting there will be 1.5m unfilled jobs by 2020.
According to the market research firm, security analyst tops the list of positions that are in most demand, with 46% reporting a staffing deficiency at that position in their organization. This is followed by security auditor (32%), forensic analyst (30%), and incident handler (28%).
We Have a Resourcing Challenge. What Are the Options?
Information security needs to be seen as a career choice and there needs to be greater awareness in schools and colleges globally in order to attract more people into the profession. Until then, companies need to think carefully about a future that relies on getting by with existing resources or outsourcing some or all of their security operations to a trusted advisor.
An organization’s IT team will be grounded in IT fundamentals and daily business operations, so would be well placed to take on roles in cybersecurity. Security experts need a great mix of technical and soft skills, which are usually honed over many years. They need to know how to communicate effectively with non-IT colleagues and understand business processes, compliance and analytics. Sounds obvious, but they also need to have a genuine interest in cybersecurity.
Training staff can be a great long-term investment, but information technology products change faster than an organization will be able to train its team. A commitment to training and professional development is a strategic decision needing high budgets. There is the obvious cost of training, as well as the length of time it takes to train each person while keeping the skills and certifications up-to-date. Then, when people leave, there’s the challenge of starting the process all over again.
Investing in internal resources therefore isn’t an option for a large number of organizations. Almost half of companies worldwide lacked in-house security skills, according to Frost & Sullivan’s 2015 (ISC)2 Global Information Security Workforce Study, while a third plan to use managed and professional services to address these skills shortages.
Outsourcing some or all of an organization’s security operations to a Managed Services Provider (MSSP) can alleviate the problem of there not being enough resources in-house. There are a growing number of MSSPs to choose from – although it is important to remember that not all are the same. Choosing one with flexibility to work within the organization’s chosen model is important, as is the ability to provide actionable intelligence.
A trusted provider will know how and where to find the right experts, invest in training and improving professional qualifications, and continuously monitor an organization’s network round the clock, every day of the year. If companies find they don’t need to fully outsource their security operations, they can use an MSSP to fill specific resource gaps such as developing an incident response plan – which currently 77% of organizations do not have, according to NTT Group’s 2016 Global Threat Intelligence Report.
In summary, there are currently not enough qualified cybersecurity experts entering the workforce. There’s no silver bullet in terms of training internal resource or hiring new resource to alleviate the problem, but there’s never been a more important time to address the skills gap.