Ongoing Security Skills Gap Projected by Survey

A recent survey of IT security managers found that 93 percent are already having, or expect to have, a tough time finding new employees who have the specific security skills needed to face the ever-changing threat environment. The study, commissioned by security vendor Tripwire, was carried out by Dimensional Research. The conclusions are based on the answers of more than 300, mostly IT managers for whom security is a significant part of their responsibilities.

About 45 percent of respondents to the online survey said they hired more security personnel in the last two years and expected to continue the trend over the next two years. Some 50 percent expect a heavy investment in training of their existing staff. And just over 50 percent have already used, or will soon turn to, outside services for security expertise.

It’s not surprising that 65 percent of those expecting to increase outsourcing named penetration testing as the security skill they want to go out of house for, since it’s highly specialized and it makes sense to have another company do this work. Other security needs popular among participants as outsourcing targets include forensics and investigation, security analysis, intrusion detection and cloud security.

What security skills respondents need help with? More than 50 percent want help staying on top of vulnerabilities. Keeping track of devices and software on the network and identifying and responding to issues (such as emerging threats) in a timely manner round out their top three concerns.

The technical skills that respondents value the most are network monitoring, IT fundamentals, vulnerability management, data security, security analysis and intrusion detection. Although secondary to technical skills, IT managers agree that soft skills are important too—65 percent of them selected “analytical thinker” as the most important soft skill. Others included good communicator, troubleshooter, strong integrity and ethical behavior, and ability to work under pressure.

Tripwire Vice President of Product Management and Strategy Tim Erlin says in a blog on the Tripwire site: “Considering the recent high-profile threats that have been attributed to unpatched systems, it’s no wonder that survey participants are concerned that a security skills gap could leave their organizations exposed to new vulnerabilities.”

The need for new security expertise in specialized areas is growing and will continue to grow in the coming years. Participants supported that thought. Almost 90 percent, with most answering “increase dramatically,” project their company’s cloud efforts will require the security team to need to hire or develop new expertise. DevOps and IoT were each projected by about 75 percent of IT managers to require new security skills. When you add in emerging technologies like machine learning, AI and robotics the challenge only becomes greater.

Analysis

There may be two problems at work here. There’s no doubt that there’s a security skills gap in the security area. But that’s likely fueled by another issue, a security personnel shortage. Numerous reports have stated that average security employee IT job tenure is shorter than that of other types of IT jobs. There is a long list of expectations of CISOs at some companies. Many are walking into the C-suite for the first time in these roles. It’s not surprising that their job tenure is notoriously short. They are clearly not enough experienced CISOs to go around either, since one of the factors behind CISO’s short job tenure is being recruited away by other companies.

Companies should make security employee retention a high priority. That combined with aggressive investment in training programs for existing employees and creating a culture of learning is the long-term approach that probably gets 60% of the job done. For the rest, hiring, contracting and outsourcing are the solutions of choice.

Scot Finnie

Scot Finnie

Scot Finnie was the editor-in-chief of Computerworld for 10 years. He was a Windows operating system expert for the prior 10 years. He torture-tested laptop PCs. He is a journalist, technologist, reviewer, columnist, editor, manager.

scot-finnie has 3 posts and counting.See all posts by scot-finnie