What’s Behind the IT Security Workforce Shortage?
Understaffed IT security teams leave companies open to a wide range of threats including phishing, DDoS, ransomware, ID theft and internal attacks.
September 19, 2016
By WeathersfieldTM
The following is a guest post by Gur Shatz, co-founder and CTO, Cato Networks.
An unfortunate side effect of the explosive growth in IT security over the past five to ten years is a startling shortage of qualified workers. Last year, the global cybersecurity organization ISACA found that 60 percent of cybersecurity professionals they surveyed said less than half of the prospective job candidates in their field were qualified. Even worse, 54 percent of respondents said that it took at least three months to fill open cybersecurity roles, and that one in 10 open positions are never filled. Understaffed IT security teams leave companies open to a wide range of threats including phishing, DDoS, ransomware, ID theft and internal attacks.
Like any industry, IT has boom and bust cycles of employment, but increased demand for skilled workers in this field is not a new phenomenon by any means. The education resources are definitely there – so what’s behind this staff shortage, and what can be done to address it?
The factors:
Too Many Point Solutions
Probably the biggest driver of the growth in IT security tech has been the practically exponential growth in both the frequency and sophistication of the threats that many enterprises now face. Cybersecurity teams, without much of a choice in the matter, have had to plug holes using a wide variety of specialized point solutions.
The end result of playing catch up with the threat landscape is a mess of appliances and software applications that require a great deal of expertise to manage and that can’t survive staff turnover due to the specialized knowledge of those who have cobbled together the system. It’s very difficult for any, even highly skilled, IT practitioners to come in and quickly get to work in such an environment, and existing teams are even more burdened.
Cloud and Mobility Dissolve the Perimeter
Just as businesses have had to expand their cybersecurity point solutions to deal with an evolving landscape, so too have they had to expand their networking capabilities to support the realities of a modern workplace. Today’s corporate IT infrastructure is often a web of cloud and on-premises solutions that are accessed via an ever-growing number of devices. Companies also must account for remote offices and branches, mobile workers and on-site employees.
The biggest growth in networking over the past few years has been the advent of cloud services, which now suffer from a severe lack of cloud security specialists. While companies have been expanding their attack surface (as data and users are now more disparate than ever), the skills and expertise to secure them has not kept pace.
Conflicting Priorities
As the number of solutions that support networking and cybersecurity needs within an organization continues to grow, IT security teams start having to juggle a number of conflicting priorities. For example, the company may need to integrate a new acquisition or rapidly expand to new geographies. This creates a degree of urgency that may lead teams to overlook critical security steps that might impact the business.
Overall, IT in many cases has to spend so much time running and managing the complex infrastructure they’ve created, that they don’t have the time or manpower to think about – much less address – the evolving threat landscape.
The Solution? Simplicity
Given the major shortage of qualified workers that now exists in IT security, and cloud security especially, there is no quick fix that will rapidly grow the number of candidates to meet the demand.
IT teams should instead look to decrease the complexity of their existing security and networking infrastructures in order to better meet the capacity of workers that they currently have. Addressing the issue from the demand side – creating fewer instances where lots of security experts are needed – will take much less time than solving the supply side issue of worker shortages.
Of course, this is easier said than done. What can teams do right now to actually reduce complexity? Start by leveraging the forces responsible for complexity – cloud, virtualization and SaaS – towards simplification. Migrate appliance-based and on-premise functions into the cloud wherever possible, and reduce the attack surface by cutting down on moving parts.
Teams should consider whether a given point solution is necessary, or if it can be wrapped into another application – preferably cloud-based. By solving the complexity issue, an organization can let its staff focus on core strategic IT security initiatives, such as cybersecurity training for staff, and spend less time on network management and maintenance. The result is a reduced requirement for newly qualified staff to fill in the gaps – simple.
About the Author
Gur is co-founder and CTO of Cato Networks. Prior to Cato Networks, he was the co-founder and CEO of Incapsula Inc., a Cloud-based web applications security and acceleration company. Before Incaspula, Gur was Director of Product Development, Vice President of Engineering and Vice President of Products at Imperva, a web application security and data security company.
Gur holds a BSc in Computer Science from Tel Aviv College.
You May Also Like