Security vendor Symantec has warned that businesses are losing the skills race against cyber criminals. The warning comes in the latest Symantec High Alert report titled ‘The Skills Crisis – Tackling The Critical Gap‘ (registration required). The report is focused on companies in France, Germany and the UK and paints a dark picture of the state of the cyber security market.
The most worrying results from this survey is not the growing skills gap. In reality, that is something that should be expected. The rewards are higher on the criminal side and the chances of getting caught are low. The bigger issue is the number of staff looking to leave the industry (63%) or quit their jobs (64%). There is also growing evidence that burn out and mental health issues are mounting.
According to Darren Thomson, EMEA CTO, Symantec: “It is disturbing enough to know the barbarians are at the gate, without knowing the people attempting to defend you are outgunned and burned out. Yet, this is exactly what this new data reveals.
“It is hard to overstate the threat posed by an enemy that is learning faster than you are. If organisations value the security of their data and their finances, they must heed this warning and make strategic investments to address this emerging skills gap.”
Undermanned teams adding to the pressure
It is not just the lack of skills that is causing a problem. As employers struggle to recruit, existing staff feel under more pressure. That pressure is causing many to work longer hours for which they are not paid any extra. It also has an impact on skills as researchers and analysts are no longer able to keep their skills up to date. As a result, many feel that they are beginning to lag behind their peers which impacts their long-term employment prospects.
Being under constant pressure is increasing the mental health challenges across the industry. When a breach occurs, staff are beginning to feel that it is their fault, that they missed something or just cannot cope with the workload. The result is burn out and people leaving the industry not just for a short period but for good. When you already have a significant and growing skills shortage, this will just exacerbate the problem.
Dr Chris Brauer, Director of Innovation, Goldsmiths, University of London who oversaw the report said: “Cyber security professionals are first responders, locked into a constant arms race with attackers – where talent and skill are the most important weapon.
“The vast majority find this battle of wits an exciting and deeply intellectual challenge. But, this demanding work comes with high stakes and is fought at a frenetic pace with little support. Add to this the relentless volume of alerts and more mundane tasks, and the job can quickly turn toxic. Highly stressed workers are far more likely to be disengaged and ultimately quit. In an industry already plagued by a skills shortage, this is a significant risk to businesses.”
Key numbers from the report
The report contains a lot of data from the 3,045 respondents. Among the key statistics are:
- 44 percent say their teams lack the necessary skills to combat the threats their organisations face.
- 37 percent report their teams are simply not able to manage the sheer scale of the current workloads.
- 46 percent report their teams are too busy to keep up with necessary skill development.
- 45 percent say technological change is happening too quickly for them and their teams to adapt.
- 48 percent say attackers now have ‘unprecedented’ resources and support from ‘bad actors’, such as organised crime and state-sponsored hackers.
- 78 percent of cyber security professionals find themselves underestimating what is required to properly deal with a cyber security threat or incident.
- 77 percent find themselves rushing when assessing a threat.
- 69 percent of respondents report feeling responsible for a cyber security incident that could have been avoided.
The good news for the UK is that respondents reported lower numbers for all the above issues. In reality, this is cold comfort because the difference were generally small, less than 10%. With the current uncertainty in the UK over Brexit, there is an expectation from many in the industry that the UK is likely to come under greater attack over the next year. The UK is also not generating enough individuals with cyber security skills to fill existing posts, let alone those being lost due to attrition.
Technology only a partial solution
The security industry has been quick to point to machine learning and AI as a solution to the skills crisis. However, to make those solutions effective there is a need for properly trained individuals. That is a challenge. There is an even greater skills shortage here.
There is another problem. Technology is no magic bullet. The security industry is beginning to accept that the best role for machine learning is to augment skilled analysts. It can take a lot of the mundane refining of data away and provide better tools for analysis and tracing of attacks. While this may alleviate some of the stresses, it requires training. The problem is that nobody has time to be retrained as they are in constant firefighting mode.
For corporates, this is likely to lead to greater outsourcing of their security. This raises another problem – outsourcing security does not mean the legal responsibilities go away. Few companies have adequate processes that create a proper partnership between them and their security providers. In addition, there is still a need for people on-site who can respond to actionable intelligence.
Enterprise Times: What does this mean
This is yet another report showing that there is a skills shortage in cyber security. It’s tempting to ask what it adds to the debate. A closer read answers that question. While most reports focus on the shortage, this one puts some details around the why and the likely outcome of that shortage. Importantly, it also addresses, openly, the problem of burn-out and brings mental health issues into focus. The latter is something that is too often brushed under the carpet in the security world.
There is no quick fix to this problem. Organisations cannot just go out and grab another bunch of skilled staff even if they existed. Salaries in this sector continue to rise but while this is bringing new recruits in, we are losing the skills at the top end. This is the same problem other industries have faced yet this runs the risk of becoming a crisis for the industry.
There are solutions but they are not quick fixes. Better recruitment from schools rather than demanding degrees and industry qualifications is a start point. We need more vocational courses to begin to deal with the bottom end of the problem. Companies also need to look again at the potential for degree-level vocational training. This would give them access to skills for a period of time while they train new staff.
Ultimately, this report sends a message that we need to address structural issues in how we recruit, train, retain and provide long-term health support for cyber security teams.