Security Skills Shortage, Or Training Failure?

Most IT security groups are short-handed and can't find good people to hire, research says. But the real issue may be failure to invest in training new and current personnel.

Mathew Schwartz

August 21, 2012

5 Min Read
Network Computing logo

11 Security Sights Seen Only At Black Hat

11 Security Sights Seen Only At Black Hat

11 Security Sights Seen Only At Black Hat (click image for larger view and for slideshow)

Almost two-thirds of businesses say their information security departments are understaffed, and 51% say they can't find people with the required security skills.

Those findings come from a new Forrester Consulting report, "Security Intelligence Can Deliver Value Beyond Expectations And Needs To Be Prioritized," that was commissioned by IBM Global Technology Services. To make its point, the report largely references a Forrester Research survey of 2,400 executives and technology decision-makers at North American and European businesses, conducted more than a year ago.

According to the report, 53% of businesses say they can't find enough suitable employees to run in-house security intelligence programs. It describes security intelligence as "the real-time collection, normalization, and analysis of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise."

Not coincidentally, the report notes that security intelligence programs can be largely automated, thus eliminating the need for so many warm bodies. Cue complementary findings, such as one chart titled: "security intelligence as a service overcomes all challenges to deliver amazing value," which is sourced to a May 2012 survey of "75 North American, U.K., and Indian IT security enterprise decision-makers."

[ You don't want to get burned by this one. Read Reveton Malware Freezes PCs, Demands Payment. ]

Stepping back for a minute, whose fault is it that businesses, by their own admission, are facing a supposed talent shortage? Writing last year in The Wall Street Journal, human resources expert Peter Cappelli at the University of Pennsylvania's Wharton School lambasted business executives who said they didn't have sufficient access to talented personnel, when the very same people too often budgeted nothing for training, for either existing personnel or new hires, thus trapping their potential workforce in a Catch-22 situation. "One can't get work experience in school, and that's where training comes in," he said.

Likewise, in response to an InformationWeek column earlier this year that analyzed the supposed IT skills shortage, former hiring managers shared tales of "corporate cheapskates" who pursue the low-cost option at any cost, and failed to reinvest in their workforce, and then complained that they don't have enough fully trained--by others--personnel at their immediate disposal. "The moral compass is busted," said one Oracle/JDE consultant, noting that the days of many businesses investing in their employee's personal development appeared to be long gone.

In other words: Stop complaining about the skills shortage, and do something about it, both through training, as well as by working with local colleges and placement programs. "To get America's job engine revving again, companies need to stop pinning so much of the blame on our nation's education system," Cappelli said. "They need to drop the idea of finding perfect candidates and look for people who could do the job with a bit of training and practice."

Without a doubt, creating a top-notch information security program will demand investment, not least in training. And according to the Forrester survey, the information security risks that businesses must mitigate are very real: 72% of businesses said they're battling escalating and ever-evolving threats, 75% said knowing which threat to prioritize is a struggle, and 68% said that preventive measures are going by the wayside, owing to workload.

Given the escalating threat level, a recent study from IBM found--unsurprisingly--that chief information security officers (CISOs) are facing greater board-room pressure to improve their businesses' information security programs. Obviously, doing so will require spending money, and preferably to avoiding breaches, rather than simply to respond to them. "We know that it's much more expensive to implement your security controls afterwards," said Luba Cherbakov, a VP at IBM Security Services, speaking by phone.

For businesses that lack even a CISO, help is to hand--again, for a price. Multiple consulting companies, including CSC and IBM, offer placeholder CISO programs that can immediately put a temporary security executive in place, and then help the business build up their program and hire a suitable CISO replacement.

Beyond hiring a good CISO and investing in training for frontline security personnel, the information security calculus also requires knowing when it's best to outsource. Top candidates, according to Forrester, include outsourcing for email hygiene purposes (42% of respondents say they do this), firewall management (33%), vulnerability management (23%), and access management (22%).

Furthermore, many of these types of services work best when they tap into a bigger-picture view, either via the aforementioned type of threat or security intelligence feed, or simply handing specific functions off entirely to a managed services provider. Cherbakov, for example, said that IBM's managed service program processes over 15 billion potential security events per day, drawing information from over 3,700 clients. Having that volume of data to analyze makes it easier to spot many types of online threats and attacks.

In other words, when it comes to addressing information security challenges, help is to hand. So rather than whining about a skills shortage, businesses need to hire a great CISO, train personnel to handle the latest threats, outsource when it makes economic sense, and keep the budget flowing. If your business isn't helping to employ and train the next generation of information-security professionals, then it's part of the security problem.

Cloud services can play a role in any BC/DR plan. Yet just 23% of 414 business technology pros responding to our 2011 Business Continuity/Disaster Recovery Survey use services as part of their application and data resiliency strategies, even though half (correctly) say it would reduce overall recovery times. Our The Cloud's Role In BC/DR report shows how the combination of cloud backup and IaaS offerings can be a beneficial part of a "DR 2.0" plan. (Free registration required.)

About the Author(s)

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights