François Gratiolet, CSO EMEA at Qualys, writes about an IT security skills gap.
The UK’s National Audit Office (NAO) released a report in February this year (The UK cyber security strategy: Landscape review) that concluded that a lack of skilled workers is hampering the UK’s fight against cybercrime. The European Commission digital agenda commissioner Neelie Kroes recently told delegates at CeBIT 2013 that the EU’s competitiveness is “under threat” if it cannot fill an expanding IT expertise gap. The commission’s own figures suggested that there will be 900,000 vacancies for IT-related roles by 2015. Whilst these figures do cover other IT fields than just cybersecurity, the skills gap in our industry is plainly obvious to those in the profession, and it’s felt at every level: strategic, tactical and operational.
Cybersecurity does not suffer from a lack of publicity – the nature of IT security means that it is in the spotlight – the media is fascinated by crime, data breaches at large, well-known companies, and the actions of politically motivated groups such as Anonymous. It is, however, an incredibly complex field – this forces companies to compete for top talent in order to protect their corporate brands, customer data and avoid any thefts of critical intellectual properties.
Finding and retaining skilled employees is a classic business issue that is not unique to cybersecurity. However, the security talent market, unlike many similar knowledge economies (e.g. engineering), appears to be getting increasingly competitive as time progresses as more and more companies are forced to contend with each other, to secure the best talent that is limited. There are a number of reasons behind the growing skills gap:
1.Attacks upon IT infrastructure are becoming more complex and so there is a growing demand for specialist, highly-skilled employees and there simply aren’t enough qualified candidates to fill these roles
2.Businesses grow more dependent upon IT every day – new usages for IT arise regularly, and with each advancement the security requirements and risks are heightened for the participating businesses
3.New security and compliance regulations further segregate skillsets and limit the amount of professionals available for a particular role
4.New trends such as hyper-connectivity, Big Data, BYOD and mobility are increasing the amount of opportunities for hackers to gain access to key systems
In the end, I believe the biggest consequence of the above is a steady deterioration in product quality in the security sector. The number of security vulnerabilities that businesses are exposed to continues to grow dramatically, and security products can barely keep up. This ultimately results in a loss of revenues for the businesses affected.
Solutions, not problems
It may be that the cure for the technology industry’s security problem is, in fact, more technology. Automation of attack prevention and detection is growing much more advanced, and we are finding that companies can protect themselves against the vast majority of attacks without the need for a specialist engineer at all. The computers will start to do a good job of protecting themselves as time progresses and the technology matures.
However, automation alone is not a magic bullet. Businesses themselves must start raising awareness of good security practices within their own organisations too. Big Data projects, for example, were found to be treating security as an afterthought at this year’s CSO Interchange event in London (a troubling thought considering the level of insight into people’s lives that can be obtained via this kind of computing).
Do we really need more IT security officers?
With the expansion of the technology sector into virtually every business, we will certainly be seeing a greater demand for skilled CSOs. However, their role will change dramatically in the next ten years.
CSOs will move away from fixing problems and start to become more business orientated, working to make sure business objectives are met, whilst keeping security in mind. Successful CSOs will also partner with business leaders in the organisation, enabling them to safely and securely adopt new technology that increases productivity and business transactions.
The more technically-minded security personnel will still have a place, but as part of an Infrastructure as a Service (IaaS) or other-cloud based service providing organisation. Once this migration of infrastructure to the cloud is complete, cybersecurity will become more “centralised”, with one organisation looking after the security of many.
This is a bright future to look forward to, despite the dire warnings of a skills gap leaving us all vulnerable. With centrally-managed infrastructure, standards of security can start to be applied across the board, improving the security of hundreds of businesses that otherwise would not be able to adequately protect themselves.
With these advancements made, cybersecurity will lose its stigma as a difficult field that will leave you in a forgotten corner of an office, and take its place amongst the other highly-skilled and respected occupations that have arisen in the last 20 years – securing the security professions’ future in the process.
Qualys is exhibiting at Infosecurity Europe 2013, an information security industry event on April 23 to 25 at Earl’s Court, London. For further information – visit www.infosec.co.uk.
