As the volume of cyberattacks spikes, so does the demand for security talent. In 2016 alone, the need for cybersecurity skills shot up 46 percent, with that demand continuing to increase for the foreseeable future. This wouldn’t be problematic if there were enough cybersecurity experts in the workforce, but that simply isn’t the case. According to research by Intel, 82 percent of IT professionals believe there is a shortage of available cybersecurity expertise.
That begs the question: Why is it so difficult for organizations to attract and retain the necessary cybersecurity talent?
This post answers that question, explains the impact of the situation on IT staff and explores alternative solutions to fill these voids.
The headaches of high turnover, demand
According to the Information Security Systems Association, 65 percent of cybersecurity professionals “struggle to define their career path.” To make matters worse, 46 percent of cybersecurity professionals are solicited for job opportunities once per week. The ISSA called the situation “an existential threat” that is both weighing on cybersecurity professionals, and creating significant talent gaps in organizations.
CSO contributor Maria Korolov corroborated these findings and added that cybersecurity professionals frequently move between companies in search of higher pay, more schedule flexibility and more challenging and meaningful work.
The competition to attract and retain cybersecurity talent has become stiff as a result. According to ITCareerFinder, an information security analyst’s starting salary in 2017 may fall anywhere between $118,250 and $169,000. For most small and medium-sized organizations, that figure is enough to induce a migraine.
The negative impact on IT operations
The most immediate effects of this cybersecurity shortage are felt by IT professionals. Often one of two issues will arise:
- IT professionals will end up being spread far too thin, and will work well above 40 hours a week. Their attempts to close the cybersecurity gaps within their organization will ultimately cause them to feel overworked, and induce employee burnout.
- Alternatively, IT professionals will utilize the limited available resources and expertise, and in doing so, develop a false sense of security. According to a survey conducted by Arctic Wolf Networks, there’s notable dissonance in the mid-market regarding perceived security posture of information systems versus the actual level of security.
This is not to suggest IT ops teams can’t handle the heat, or that they’re under performing. Rather, it’s to explain the risks associated with asking them to perform functions that don’t fall under their umbrella of expertise. At the end of the day, your IT staff can only wear so many hats.
Areas of greatest need
According to InformationWeek, cybersecurity skills that are in high demand, include, but are not limited to:
- Network monitoring and access management.
- Risk mitigation.
- Intrusion detection.
- Security analysis.
- Data security.
In a large enterprise, these functions are typically handled within a security operations center. A SOC’s primary functions include monitoring network activity, managing risk, detecting indications of intrusion, performing security analysis, improving defenses, understanding threat lifecycles and helping to create incident responses plans – all with the end goal of better data security.
Technically, every organization should have a SOC. But clearly, locking down the needed expertise to operate, manage and maintain a SOC – let alone the necessary tools and technology – is a challenge.
Director of Product Strategy at Arctic Wolf Networks, Sridhar Karnam, recently hosted a webinar that took a deep dive into some of these issues and provided a few pointers that may be of use to organizations struggling to build and maintain a SOC.
One of the best places to start, according to Karnam, is to hire IT operations professionals who have strong security hygiene. While these employees cannot necessarily stand in for security analysts (for many of the reasons mentioned above), they can help to minimize attack surfaces as they maintain network topology.
Karnam added that security culture is also hugely important, but it needs to come from the top down. The goal should be to improve security hygiene as a habit throughout the company by instilling best practices throughout the organizational workforce.
Finally, Karnam recommended teaming up with a cybersecurity partner that has the expertise and resources necessary to manage a SOC. Not even considering the tools, the fact is that in-house cybersecurity talent is beyond the price range of many SMBs. This means these organizations have to be creative and explore other ways to gain access to qualified security talent. To hear about them in greater depth, listen to the full webinar: Manage SOC with shortage of resources/ skills.