No other technology sector changes as rapidly as cyber security – with new threats appearing on a daily basis.
Cyber security is a highly technical field with technologies ranging from anti-malware to encryption to firewalls to logging and analytics tools to application security to access and identity management platforms – and the list goes on.
Then there’s the threats which range from legacy and new viruses and malicious code that plagues PCs and mobile devices, to distributed denial of service (DDoS) attacks that can take servers and networks down, to random acts of evil that can take many forms. The cybercriminals are teenage thrill seekers, black hat hackers seeking notoriety, organised crime gangs, and hostile nation states. Understanding the technologies and threats, and categorising the criminals and their motivations require highly specialised skill sets.
The severe cyber security labour shortage is one of the biggest threats to adequate protection against cyber attacks. Corporations and government agencies are seriously behind in the staffing they need to protect against an increasingly hostile threat landscape. High-profile cases also suggest that the vital importance of adequate cyber security measures has yet to filter through to decision makers.
What needs to change? First of all, organisations need to put in place effective policies that speak to corporate boards, managers and employees at all levels alongside security awareness training for employees and on-going cyber training for the IT troops.
The best defence against cyber-crime is good offence but without experienced players to staff all the cyber teams, organisations will continue to be vulnerable. While there are cyber intelligence tools capable of tracking and alerting on the latest vulnerabilities, organisations at risk don’t have staff who know how to use the tools and who really understand the threats and their consequences, especially responding to live-attacks in real world situations.
The demand for cyber security practitioners is an order of magnitude – or two – greater than the current available talent.
According to a 451 Research Q2 2015 study, based on responses from over 1,000 IT professionals, primarily in North America, Europe, the Middle East and Africa, security managers reported significant obstacles in implementing desired security projects due to lack of staff expertise (34.5 percent) and inadequate staffing (26.4 percent). Given this challenge, only 24 percent of enterprises have 24×7 monitoring in place using internal resources.
A Rand Corporation study estimates there are around 1,000 top-level cyber security experts globally vs. a need for 10,000 to 30,000. IDC predicts that “by 2018, fully 75 percent of chief security officers (CSO) and chief information security officers (CISOs) will report directly to the CEO, not the CIO”. This is likely to move the CISO salary needle past the security software engineers they are trailing now.