The annual "security-fest" that is the RSA Conference in California highlights key themes in information system protection for the coming months. For IT security professionals RSA is a chance to take stock, meet with peers, and explore new developments in IT security. For me, two themes stood out at RSA this year:
- There's more and more information technology to defend, but
- The stock of people who have the skills to secure it is dangerously low.
These themes were echoed in a lot of this week's conference sessions as well as in the many conversations that took place in the corridors and meeting places around San Francisco's Moscone Center. Adding to the discussion were two new surveys that put some numbers to these themes. I have included links to PDF versions of the reports here:
- State of Cybersecurity: Implications for 2015. An ISACA and RSA Conference Survey (of 1,500 ISACA certification holders and/or "RSA Conference constituents')
- The 2015 (ISC)2 Global Information Security Workforce Study (surveying 13,930 information security professionals)
For me, the headline findings from the State of Cybersecurity survey were that 76% of respondents said their enterprise had experienced an increase in security attacks in 2014 compared to 2013; and 82% thought it was either likely or very likely that their organization would experience a cyberattack in 2015 (likely = 44%, very likely = 38%). In other words, attacks are on the rise and most organizations realize their systems are likely to be attacked.
A shortage of confidence and skills
The growing realization of the inevitability of experiencing a cyber attack is a welcome dose of realism, particularly now that security is finally grabbing the attention of the board. Nearly 80% of respondents to the State of Cybersecurity survey said their board of directors was concerned with cybersecurity.
However, this new reality is also scary when you read that less than half of the respondents to this same survey gave an unqualified "yes" when asked: "Are you comfortable with your security team's ability to detect and respond to incidents?" To be clear, only 13% answered "no" to this question, however 41% answered "yes, but only for simple issues". So less than 46% said "yes" outright. Why? The survey offered some explanations for this low level of confidence, notably the shortage of adequately qualified security staff.
When it comes to hiring security professionals "more than 50 percent of the survey respondents reported that less than one-quarter of applicants are truly qualified for the open positions." When you think about it, that's a fairly staggering shortfall. The consequences of this situation, none of which bode well for an organization's ability to resist and respond to cyber attacks, include:
- Some security positions will be under-filled
- Some security hires will not be up to speed right away
- Some security positions will be unfilled for an uncomfortably long time
- Some security positions may never be filled
The survey found that nearly two thirds of organizations had trouble filling a security position in less than three months, with nearly one in 10 reporting they could not fill the position at all.
To drill deeper into the cyber skills shortage you need to look at the GISWS (Global Information Security Workforce Study), the headline number from which is this: 62% of respondents say that their organization has "too few security professionals". This is up from 56% two years ago, and while there are several reasons for this situation, pay and job satisfaction are not chief among them (these factors are explored further in the study). The shortage is mainly a combination of:
- More work to be done because there are more things to secure (think BYOD, Cloud, IoT, Big Data, plus economic expansion)
- More attacks from all sides (think criminals, nation states, and hacktivists)
- Not enough people entering the field (think about a skills gap > 250,000 by 2016 in the U.S. alone)
While a majority of security professionals report that they are satisfied with their jobs, a majority of organizations report they just cannot get enough of them. I recommend you review the full report for the details, including the surprise #1 factor for success as an information security professional (hint: it's not technical skills). The bottom line, according to analysts at Frost & Sullivan, is that if current trends continue, the global shortfall in the information security workforce will reach 1.5 million by 2019.
Closing the Cyber Workforce Gap
Changing those trends, more specifically increasing the supply of appropriately skilled security professionals, was the focus of a number of RSA conference events, none more so than the ESET-sponsored luncheon: "Cultivating a New Generation of Cyber-Workforce Talent." This invitation-only session was addressed by Michael Daniels from the White House and Phyllis Schneck from DHS. Their remarks were followed by a panel that included Eric Basu from the board of San Diego's Cyber Center of Excellence, of which ESET North America's CEO is co-chair (it was cool to hear shout-outs from the speakers to San Diego and ESET and Securing Our eCity for all the work being done here to raise security awareness and promote cybersecurity as a career choice).
When it comes to IT security as a career it is important to realize there are many aspects to this profession, and the GISWS is a great way to find out which aspects the security pros consider critical right now and in the near future. The chart below shows the top six skills and competencies that survey respondents said they needed to acquire or strengthen "to be in position to respond to the threat landscape over the next three years"
To be clear, there are many efforts underway already to get more people into the information security field. In the U.S. a lot of this activity is being driven by NICE, the National Initiative for Cybersecurity Education, which has a major Cybersecurity Workforce Component. The main non-profit skill certification bodies are also heavily involved, including CompTIA and (ISC)2, which recently introduced the Certified Cloud Security Professional program.
What is not clear is the extent to which the training and education being offered today matches the projected need, both in terms of scale and content. The 2015 (ISC)2 Global Information Security Workforce Study gives some good pointers, but ongoing research is needed. One area of improvement that must not be overlooked is the ability of Human Resource departments to put appropriate candidates in front of hiring managers, or rather, not overlook suitable candidates due to a lack of understanding of security skills and roles, but that's a whole other blog post right there.
For more on the trends spotted by ESET researchers at RSA Conference 2015, see Cameron Camp's post.