In my previous post about Tripwire's latest skills gap survey, I noted that over the past couple years, it has become more challenging to hire adequately skills cybersecurity professional. In this post, I'll share Tripwire's second set of findings. These results cover which technical skills are most needed and what organizations plan to do about ensuring they show up in their expanding security workforce. In Tripwire's survey, there was large agreement that security teams will need to keep sharpening their technical skills in order to keep up with advanced threats. Seventy-nine percent of respondents said they believe the need for technical skills among security staff has increased over the past two years, with the majority citing network monitoring, IT fundamentals, and vulnerability management as most important. Even more concerning, almost half of the survey participants were concerned about their teams losing certain skills altogether. Of those, 52 percent were concerned about staying on top of vulnerabilities, 29 percent were concerned with keeping track of devices and software on the network, and 24 percent were concerned about identifying and responding to issues in a timely manner and staying on top of emerging threats. These fears are concerning and perhaps surprising since they pertain to the retention of absolute basic security essentials in every one of their IT security professionals. Tim Erlin, vice president of product management and strategy at Tripwire, says this anxiety among survey participants isn't unfounded:
"Considering the recent high-profile threats that have been attributed to unpatched systems, it's no wonder respondents are concerned that a technical skills gap could leave their organizations exposed to new vulnerabilities. I'm encouraged to see that respondents are prioritizing skills for foundational security controls, such as vulnerability management and network monitoring, when they're hiring."
Teams also voiced their intention to keep up with the advancement of the cloud, the Internet of Things (IoT), and DevOps. Eighty-eight percent said they expect the need for expertise in the cloud to increase, while 77 percent indicated a growing demand for IoT expertise as well as for DevOps. Most security teams disclosed they might turn to outside help to satisfy this need. Ninety-seven percent said technology vendors can help address the skills gap, so it's not surprising that 91 percent of respondents revealed they will outsource security skills to help address the technical skills gap. Erlin thinks that's a logical move:
"Growing adoption of cloud, IoT, and DevOps brings about new challenges that security teams will need to keep up with, and if organizations want to bridge a technical skills gap, they should look to work with security vendors and managed security providers who can help them address today's major attack types while also offering training to their existing IT teams. As security continues to become an even bigger challenge for organizations, we can expect to see more and more businesses outsource to gain security expertise in the future."
In earlier posts, we covered the need for more women in cybersecurity and a blended training/education approach for closing the gap on technical skills. How do you think the industry can build a better funnel of technically adequate cybersecurity professionals? What else should security teams be considering? Please let me know in the comments!