Trustwave and Osterman Research have released the results of a study into cybersecurity resource limitations. The study entitled Money, Minds and the Masses (registration required), can be downloaded from the Trustwave site. For many IT Security managers it contains nothing they were not already aware of. For C-Suite executives, it gives a worrying picture as to why they are struggling to keep the hackers outside the organisation.
Commenting on the study, Trustwave Senior Vice President of Managed Security Services Chris Schueler said: “The shortage of staff able to solve complex security issues is an industry problem that continues to worsen, but the way organizations are going about filling this void is all wrong.
“Typical recruiting methods are not proving fruitful yet we keep seeing enterprises simply throwing bodies at the problem when what is really needed is better staff training, more budget support to hire the right personnel and additional assistance from experienced third-party experts to help amplify the more complicated and demanding areas of security like testing, monitoring and incident response.”
11 key takeaways from the study
The study lists 11 key finding that are explored in greater detail in the report. They include the issue of finding (57%) and retaining (35%) staff. Even when they do find staff there is a significant skills gap (60%) between basic security and dealing with more advanced attacks. Less than 12% believe that they will be able to find, attract, hire and retain those more competent at dealing with attacks.
The study also shows a degree of unexpected maturity. Experience trumps qualifications and more bodies don’t mean better outcomes are two big steps forward. The latter response feeds into education of staff with the majority of respondents in favour of educating staff over increasing staff numbers. The costs to an organisation are lower but they also need to retain those staff.
There is also a realisation that having IT departments spending 40% of their time doing mundane issues is self defeating. Those mundane tasks include patching and maintenance. Much of this can be and should be automated inside IT departments today.
Who controls the budget?
This study sends key messages to the C-Suite execs. Almost 75% of IT security leaders do not have control over their budgets. Given that they are best placed to know how to spend the money this makes little sense. It seems the budget holders would rather argue over money and costs than solve security issues.
The costs of a breach run into the millions. In Europe, with GDPR coming on stream next year those costs could leave some businesses in serious financial trouble. Regulators are unlikely to look kindly on companies that spend money on exec perks rather than security.
It is easy, to some degree, to see where some C-Suite execs come from. They have allocated a fair amount of funding to cybersecurity over the last few years. The problem is that they fail to understand this is not a problem that just goes away. The attackers are investing more than enterprises. This means the threat is constantly evolving and the C-Suite needs to allocate more funds to meet that.
This is where the C-Suite is struggling. Across the rest of the business a problem is identified, money is spent and the problem goes away. Cybersecurity refuses to play by the business rules they were taught and understand. It requires a new thinking and awareness by C-Suite execs which is happening, just far too slowly.
Where has all the talent gone?
This is a question that has been asked at a lot of security conferences in the last year. There is no simple answer. Part of the problem is that there has not been enough emphasis on cybersecurity education at university. Universities are addressing that by creating new degree courses focusing on cybersecurity. It is not enough and many of the courses are not teaching what the industry wants in terms of skills.
There is also a lack of technical college education to widen the skills training. There are a lot of very skilled 16-24 year olds who have grown up with computers. They are easily attracted to cybercrime due to a lack of jobs and the ease with which they can make money. If there were more courses for them and employers offering apprenticeships then this would start to plug the skills gap.
Organisations need to train and retain their staff
Organisations also need to do their own ongoing training. The respondents agree with this and the majority want to spend money on training. What they need is a wider set of choices.
This can be either as day release apprenticeships or through sending staff on courses. The challenge here is retaining staff once they have the skills. Larger organisations are quick to poach skilled staff. This means employers have to be creative in the way they tie cybersecurity skills training to employment contracts. It is not insurmountable. The same problem existing leading up to the Dot Com boom. It was solved then and can be solved now.
Refreshingly the study shows that experience is trumping education when it comes to CVs. This is still an issue for companies as those with experience are going to be hard to fit into salary profiles. Those same individuals will also have to get past HR teams who, in the main, still look at education and qualifications over experience.
Talent the first casualty of a breach
When the inevitable breach occurs the blame game starts. The study highlights how breaches and compliance failures are highly likely to get IT security staff fired. If someone is incompetent then firing is a reasonable approach. However, a lot of IT security staff see themselves as being sacrificed to protect others.
It is not surprising that they feel this way. If they are not being given the training, finance or control of budgets, their ability to close cybersecurity gaps is limited. The danger for organisations is that this could lead to staff voluntarily going to regulators and causing greater damage to the business. If this happens more than once at an organisation it will also lead to a problem attracting new talent. Those that do join will also feel the need to negotiate ever larger salaries to compensate for what they will see as a short lived job.
There are issues with talent in cybersecurity but they are all resolvable. There is a tendency to focus on shortages rather than solutions. Enterprise Times recorded a podcast with Stephanie Daman, CEO Cyber Security Challenge UK last year. In it Daman talked about how the shortage could be turned around and the need for diversity and widening the talent pool. This study backs up some of what Daman said.
Perhaps the biggest message from this study is that organisations need to trust the people they employ to secure the enterprise. They have to deliver the right level of funding, identify the problems and then support those teams as they improve security. Breaches are inevitable but it is how organisations deal with them that matters. Firing your security teams and not investing in them only makes you weaker.
There is also an alternate view. Many have said that 2017 is a tipping point on the adoption of cloud computing. This is another factor for companies to consider. If they cannot recruit cybersecurity specialists themselves they will turn to others to provide that resource. It is critical however that organisations realise that outsourcing security to others does not outsource liability. They will need to ensure they craft contracts carefully, especially when it comes to penalties for breaches. The argument to move one IT infrastructure into the cloud suddenly has another reason. One that only a few years ago would have been used against moving to the cloud.