The skills gap is one of the five greatest challenges to organizations' compliance and IT operations. It manifests itself in two ways. First, some information security professionals might not be qualified for their positions. Security practitioners who lack an appropriate skill set might have a difficult time connecting security to the business. If that's the case, those individuals could struggle to evaluate the importance of protecting each business asset against digital threats. They could also fail to implement the appropriate techniques necessary for crafting a proper defense strategy. Second, there aren't enough trained professionals looking for work. Given the state of digital security today, many skilled personnel are already employed. Organizations must therefore compete with one another over folks who might not have yet acquired experience in the field. That means their security posture will be comparatively weaker than that of other companies. Those two trends pose a significant threat to companies, which begs the question: how are organizations addressing the skills gap? Are they hiring an adequate number of cyber security experts? If so, how? If not, are they doing anything to compensate for the lack of trained security professionals? To get to the bottom of those questions, Tripwire commissioned Dimensional Research to survey 500 IT security professionals about their organizations' key challenges in their cyber security and compliance programs. Tripwire's 2016 Security Challenge Survey – Skills Gap specifically sought to gauge respondents' perspectives on the skills gap in information security. When asked if their organizations have enough security professionals to detect and respond to a data breach, 75 percent of respondents answered no due to a lack of people, a lack of proper experience, or both.
IT professionals are well aware of the threat the skills gap poses to their organization. Indeed, 66 percent of respondents answered that their organization's lack of trained infosec professionals has increased the IT security risks facing them. Approximately the same percentage of respondents (69 percent) said they've acted on that perception and attempted to leverage technology solutions to compensate for their organizations' dearth of personnel. But as noted by Tim Erlin, director of IT security and risk strategy for Tripwire, technology can only do so much to strengthen an organization's information security posture:
"Cyber security is a growth industry for employees, and supply is falling far short of demand. Smart organizations need to establish effective programs for educating and developing employee skills around information protection. Having the right tools is only part of the solution. A lack of cyber security skills not only degrades an organization's ability to respond to incidents, it also inhibits organizations from developing and deploying effective prevention."
Fortunately, companies aren't powerless against a lack of trained personnel. Organizations can begin to address the skills gap by creating two people-centric processes. The first should be a comprehensive training program that builds cyber security expertise. Companies should then create a program that focuses on recruiting and retaining infosec talent. At this time, many organizations lack one or both of those processes. In Tripwire's survey, more than three-quarters (78 percent) of respondents said they lack an adequate training program. And while more than half of participants said their companies struggle to hire (72 percent) and retain (52 percent) skilled security professionals, about the same number of IT professionals (50 percent) revealed their organizations have no program in place to address either shortcoming.
Investing in their people and processes is the first step for many organizations to combat the skills gap. Only then can they pivot to determine how they can use their security experts wisely. Erlin elaborates on that point:
"While tools can't replace people, effective automation can give skilled employees more time to spend on the tough problems. Organizations should examine where their cyber security teams are investing manual effort into tasks that could be automated. Reducing and removing tedious, manual work can help improve employee retention as well."
Conclusion
Given the persistence of the skills gap, it couldn't be a better time for individuals who have an interest in computers, engineering, and information security to find gainful employment. Of course, the path to a successful career in information security, of which there are many (and many more) options to choose, begins with a strong educational background. To learn how a degree can launch your infosec career, please click here.
