The cybersecurity skills shortage: What it means for your defense strategy

Cybersecurity requires a well-staffed and proficient team.

In the first two parts of this series, we have examined a pair of common causes of weak cybersecurity posture – outdated IT infrastructure and poor decision-making by management. Both of these issues are solvable through better IT solutions planning, customized consulting and adherence to frameworks from bodies such as the National Institute of Standards and Technology. However, there is a third obstacle that isn't as easily bypassed, namely the shortage of proficient security personnel.

Is there a "skills gap" in cybersecurity?

While tightness in the U.S. labor market was a recurrent theme of 2017, it didn't affect all economic sectors equally. The actual existence of a skills gap in the economy at-large, along with its ability to explain hiring difficulties, has been hotly debated (compensation and benefits might also explain recruiting troubles), but it seems verifiable in cybersecurity.

The U.S. Bureau of Labor Statistics has estimated that information security analysts have median salaries above $92,000 and are expected to see 28 percent growth in total positions between 2016 and 2026. These data points suggest high demand and low supply. The current dearth of cybersecurity workers has had clear consequences for organizations everywhere:

  • A 2017 survey of security professionals by Enterprise Strategy Group and the International Security Systems Association found 22 percent of them thought their teams weren't big enough. Eighteen percent reported struggling with workloads.
  • Seven in ten respondents said that skills shortages had harmed their organizations by taking time away from proactive IT solutions planning, forcing the hires of less experienced candidates and/or increasing the workloads of senior staff.
  • Even for highly skilled employees, the strain of overwork has left many of them without the time to keep up with new developments. More than two-thirds reported being in such a situation, which is bad news given the rapidly evolving threat environment.

The overall issue underscores a point we raised earlier in this series: Cybersecurity is not strictly about which technical systems you have in place. You also need talented humans on hand to identify and remediate issues, too.

Security analysts are essential to proper cyberdefense.Security analysts are essential to proper cyberdefense.

Common workarounds for the security skills gap

Many of the solutions for closing the gap are long-term. For example, collaboration between security vendors and educational institutions could attract more students into the field in the future. In the short term, practical alternatives to overworked security teams often pivot on working with managed security services providers and cloud-based platforms.

"Cybersecurity is not strictly about which technical systems you have in place."

In these setups, both routine and advanced security tasks are entrusted to dedicated professionals. Whether they are working on data storage solutions, integrations between applications or basic IT infrastructure, they alleviate the burden you would otherwise bear in ensuring everything is well-protected from harm.

Specific benefits include streamlined patch management, 24/7 oversight of security events and potentially lower total cost of ownership, thanks to flexible billing models and predictable fees. Even if an organization is not able to move its IT assets to the cloud, emulating cloud service provider practices such as heavy use of automation and easy access to IT resources can lessen the strain on employees.

Are you interested in learning more about how Paramount can help you improve your security posture? Visit our Data Management page or click the banner below to learn more about patch management in particular.