alphaspirit - Fotolia
Cybersecurity's shortage of skills leaves IT projects vulnerable
A recent study found that as IT projects proliferate, cybersecurity's shortage of skills is leaving tech vulnerable. Analyst and study author Jon Oltsik explains in this Q&A.
As the cybersecurity skills shortage worsens, it is rapidly becoming a problem for the entire business. That's according to a recent study of the cybersecurity profession by the Information Systems Security Association and analyst firm Enterprise Strategy Group (ESG).
Seventy percent of respondents claimed that their organizations were affected by the shortage of skills in cybersecurity. Apart from exacerbating the number of data breaches, the shortage of skills resulted in an increased workload for existing staff that left them with limited time to work with business units to align cybersecurity with business processes, the study uncovered.
At a recent press teleconference, Jon Oltsik, senior principal analyst at ESG and the author of the report, highlighted the cybersecurity areas with the biggest shortage of skills and explained why it's imperative for CISOs to consider the skills shortage in every decision they make.
Editor's note: The following transcript has been edited for clarity and length.
What areas in cybersecurity have the biggest shortage of skills?
Jon Oltsik: We wanted to uncover the specific areas where cybersecurity skills shortages were most acute. Three areas stood out.
First is security analysis and investigations. This is a highly skilled, highly experienced area. If you have a shortage there, you have two choices: One is to poach people from other companies, or give up and outsource. We are seeing both activities and you can understand why there is salary inflation and why there is such competition from people if this is an acute shortage.
Second is application security. If you don't have good application security people, then you are not getting involved in the application development process where you can do a lot more secure code development, or secure testing, and risk-modeling and building security into the applications themselves. The alternative is to layer on some application security controls after the fact, but those controls may be going on top of 'buggy code' because of this. The other thing to consider is that there is a lot more application development happening now than in the past. We have mobile apps, cloud apps, [internet of things], digital transformation and a lot of that development is pretty sloppy. More apps, more insecure apps, more problems.
Third is cloud computing security. If you are a cloud computing security architect, you can write your own ticket. But there aren't a lot of those skills. There are some really good efforts in the industry like the SANS [Institute] training, things like the Cloud Security Alliance. But suffice it to say, there is more cloud application development and cloud proliferation than there are security people to oversee that and that's a concern.
Jon Oltsiksenior principal analyst, Enterprise Strategy Group
Why should CISOs consider the shortage of skills while making decisions?
Oltsik: There's a lot of innovation going on when it comes to cybersecurity and there's a lot of money going into cybersecurity startups. But if we don't have people who know what they're doing, it doesn't matter. It's really important that we as an industry, and even society, recognize that.
CISOs must consider the shortage of skills in every decision they make: Whether it's a new business application or process … or buying a new technology for security. You have to ask yourself, 'Do I have enough knowledgeable people to make this work?' A CISO has to be sort of a portfolio manager now. They have to point their skilled people to the right tasks, outsource some tasks and automate some tasks. It really has to be part of the whole strategy.
If you are a business manager and you are underinvesting and underplaying cybersecurity, you will be breached. You will not be able to retain your cybersecurity staff and your CISO won't last there. I think these facts really need to be communicated in the industry.