There’s been talk for years of a skills gap in cybersecurity—the idea that there are plenty of jobs available, but the available pool of candidates simply lack the knowledge and experience to fill them. There has been some debate about how real the cybersecurity skills gap is, and how much is just hype. A new survey from Tripwire suggests that the issue is very real—at least if you ask information security professionals.
According to the report from Tripwire, 93 percent of the security professionals surveyed are concerned about the cybersecurity skills gap. What makes the situation even more dire than the almost unanimous agreement that this is a serious issue is the fact that 72 percent also believe is has actually gotten more difficult to find and hire candidates with the necessary skills just in the last two years.
“It’s evident that security teams are evolving and maturing with the rest of the cybersecurity industry, but the pool of skilled staff and training simply aren’t keeping up. For example, beyond their technical duties, security practitioners may now be expected to spend more time in boardrooms or in the CFO’s office to secure more budget,” says Tim Erlin, vice president of product management and strategy for Tripwire. “While the makeup of the cybersecurity workforce may be changing, the fundamentals of protecting an organization have not. It will be critical during this transition to ensure there’s a long-term strategy in place around maintaining the foundational security controls like the CIS CSC.”
As I mentioned above, though, not everyone agrees. JC Gaillard, founder and managing director at Corix Partners, wrote in April of this year, “So it becomes apparent pretty quickly that the ‘cyber skills gap’ story dominating the headlines is just another aspect to an old theme: The cyber security industry obsession with finding technical and tactical silver bullets, to a problem that is in too many cases rooted in decades of adverse prioritization, complacency, a ‘tick-in-the-box’ culture around compliance and – fundamentally – poor corporate governance.”
As with most things, the truth lies somewhere in the middle. In this particular case, I personally feel like it’s somewhere in the middle, but leaning heavily toward the Tripwire survey point of view.
Thankfully, there are multiple solutions to this problem. First would be an effort to enhance and improve STEM education throughout the school system and influence more young people to pursue a career path in information security in the first place. We can also appeal to those in search of a job or interested in making a career change to seek out the necessary skills to fill these roles.
As awesome as that might be, the more efficient—and probably more effective—solutions lie in outsourcing, automation and outsourcing to a company that does automation. Of those surveyed by Tripwire, 88 percent believe that managed services would add value and help solve the skills gap problem, and 91 percent plan to supplement their cybersecurity team with outsourcing. Enlisting the aid of a managed security service makes sense on multiple levels: You generally get superior security for less than investing in full-time employees to build a team internally.
Automation is also an excellent solution. Ninety-six percent of survey respondents believe that automation will play a key role in solving the cybersecurity skills gap. The more monitoring, threat detection, alerts and notifications and other routine functions can be automated, the more time your cybersecurity experts will have to focus on resolving tough issues, and—more importantly—proactively streamline capabilities and improve security in general.
The cybersecurity skills gap exists, in my opinion. The bad news for many would-be job seekers, though, is that outsourcing and automation will probably fill the gap better and faster than training and hiring teams of employees to do the job.