For any cyber security specialist who’s due a pay review, recently published threat reports make worthwhile reading. The latest annual roundup from FireEye confirms the Cyber Security Skills Gap as one of the biggest risks facing businesses. Specialists in this area are dubbed a “scarce resource” – and (assuming they know their stuff) are definitely worth hanging on to…
Here, we take a closer look at what’s driving this gap – and what this means for businesses, employees and anyone who’s thinking about topping up their cyber security credentials…
The skills gap: what are we talking about?
The research in question is the M-Trends 2018 report from FireEye subsidiary, Mandiant, based on the company’s investigations into targeted attack activity in the year up to October 2017.
The message is as follows: there’s a deficit in the availability of information security personnel - and this shortage is expected to get worse over the next five years. This assertion is drawn from Mandiant’s own engagements with organisations. It’s also supported by intel from the US National Institute for Cybersecurity Education (NICE) which reported that 285,000 cyber security roles went unfilled last year in the US alone.
Mandiant estimates that it takes 9-12 full-time employees to keep an enterprise-level cyber defense center manned around the clock. Especially for bigger companies, there’s a drive to adopt “a more proactive security posture” and develop their own capabilities in areas such as malware analysis, threat hunting, automation and threat intelligence. All of this drives the demand for more staff.
ESG’s annual global survey on the state of IT paints a similar picture. Based on data from North America and Western Europe, it shows that infosec comes top of the list of tech-related roles where businesses are experiencing a “problematic shortage” of skills.
The ESG data shows how the gap has been getting bigger over time. Back in 2014, 23% of respondents reported a problematic shortage in recruiting cyber security skills. By 2018, it was up to 51%.
What’s driving the shortage?
We’d suggest several factors…
The compliance element: data security becomes a bigger priority
On the one hand, greater automation/orchestration and the use of advanced analytics helps IT cyber security departments to cover more ground with fewer resources.
But at the same time, ever-greater numbers of businesses feel the need to invest in specialist in-house cyber security skills. Regulatory compliance is undoubtedly driving this. This is especially the case for organisations with an EU customer base, as businesses grapple with the implications of the General Data Protection Regulation (GDPR).
Where security breaches involve personal data, GDPR ushers in mandatory breach reporting for the first time. There are also tighter rules in areas such as record keeping and privacy impact assessments - along with a tighter fine regime.
The upshot? Many businesses who haven’t previously considered it necessary to bring on board dedicated cyber security expertise are changing their minds.
The education element: getting the right training
If you’re a Computer Science graduate, try and think back to what you actually covered, security-wise. Chances are, there was a module along the lines of ‘Internet Architecture & Security (or something similar), which covered broad models of security and management of security issues from a theoretical point of view.
So is this enough for you to begin to grapple the real-life security issues faced by organisations? Hardly...
Speaking to Computer Weekly, Canon’s information security director, Quentyn Taylor described how many would-be candidates for security roles “have a lot of certifications, but have very little real-world experience, or good advanced technical skills but they are missing the soft skills and basic skills.”
If organisations are serious about developing and keeping hold of cyber security talent, businesses need to offer meaningful, hands-on continuing professional development. And if your employer isn’t making this happen, professionals should think seriously about taking matters into their own hands, training-wise.
The attrition element: can you cut it?
You’ve been putting in the 12-hour days. You spend so much of your time troubleshooting, there’s no time for professional development. And to top it all, there’s no sign of your employer bringing on board the extra help you’ve been asking for…
Job fatigue is a very real problem in the cyber security world. Almost two thirds of pros in this area say that skills shortages have increased the workload of existing staff - and 38% say that those shortages have led to high burnout rates and staff attrition within their organisations. Unless it’s addressed, all of this is going to fuel the fire of existing shortages.
In the UK, roles linked to cyber security are expected to see a 7% salary increase this year; one of the biggest hikes in the IT sphere.
It means that businesses that fail to provide their people with the support (and remuneration!) they deserve are likely to find themselves at the sharp end of the skills gap.
And as for anyone who’s thinking of moving into this area, it’s clear that the rewards are out there. Check out our Cyber Security Career Guide for the best ways to start a cyber security career.