The U.S. government had its longest government shutdown in history between December 22, 2018, and January 25, 2019. It’s not yet clear what overall impact this closure had on U.S. digital security. In the short term, a SecurityScorecard report found that federal agencies’ network security ratings slightly declined but that both their endpoint security and patching cadence scores increased during the closure.
Potential long-term consequences are even more uncertain, though Fifth Domain and others have speculated that the shutdown will likely affect federal agencies’ ability to hire skilled digital security talent going forward.
This prediction is concerning given the fact that the digital security skills gap continues to worsen across all sectors. In October 2018, for example, (ISC)2 published research revealing that the shortage of security professionals totaled 2.93 million positions around the globe, with 500,000 unfilled jobs based in North America alone.
ESG conducted a study of its own shortly thereafter and found that 53 percent of organizations reported challenges with hiring skilled digital security professionals. That’s the third year in a row that this rate has grown. Given this trend, Cybersecurity Ventures’ prediction of 3.5 million unfilled positions worldwide by 2021 doesn’t sound unreasonable.
Tripwire is aware of these and other estimates. It wanted to hear what organizations are doing to address the skills gap. In response, Tripwire commissioned Dimensional Research to survey 336 IT security professionals about their employers’ experiences with the shortage.
Its findings were less than encouraging. Dimensional Research found that four-fifths of the respondents think it’s gotten harder to hire skilled security professionals over the past two years. (That proportion is up from 72 percent in 2017.) When asked to reflect on these difficulties, 93 percent of survey participants that the skills required to become a talented digital security professional have changed over the past few years, up from 82 percent two years earlier.
David Meltzer, chief technology officer at Tripwire, noted how these changing times pose a threat to organizations’ digital security:
We see the skills gap issue continue to worsen. The need is rapidly growing and demanding new skill sets as the threat landscape evolves and organizations’ technology environments/attack surfaces are changing, for example with growing cloud and containerized environments. This is concerning as threat activity is growing and organizations need the resources to maintain a strong foundation of security.
Unfortunately, it would appear that most organizations lack the personnel resources needed to combat digital threats. Eighty-five percent of survey respondents told Dimensional Research that their organization’s security team is understaffed. Approximately half (47 percent) of IT security professionals said that their employer’s staffing issues stem from a skills gap, while slightly more than that (49 percent) said their employer currently doesn’t face a talent shortage but will do so in the near future.
Together, those 96 percent of security personnel said they’re concerned that the skills gap will affect their ability to keep up with software vulnerabilities, respond to security issues in a timely matter, manage configurations and harden devices at 68 percent, 60 percent, 53 percent, and 50 percent, respectively.
Overall, organizations are less confident than they were in years past about navigating the skills gap. To illustrate, 43 percent of IT security professionals said in 2017 that they believed their employer could figure out how to do everything despite the skills gap. By contrast, just one percent of survey participants articulated that belief this time around.
Lamar Bailey, senior director of security research at Tripwire, feels this change in confidence reflects the pressures faced by security teams today. Bailey explains that security personnel must therefore do some creative problem-solving in order to adequately defend their employers:
Because security teams are stretched thin, it’s going to be more important than ever to build strong partnerships. Organizations can collaborate with trusted vendors to take pressure off their in-house resources. Approaches could include more automation of security tasks and support through managed service to ensure that no critical security controls are dropped. Maintaining a strong foundation of security is non-negotiable, so it’s imperative that organizations partner across the info security community to continue meeting security goals effectively.
Survey participants aren’t opposed to getting some help. In fact, 93 percent of them told Dimensional Research that they thought their employer would benefit from enlisting outside security support. When asked to clarify what this help might consist of, survey respondents said their employer would benefit from assistance in implementing security assessments, pen testing, and vulnerability management at 71 percent, 53 percent and 51 percent, respectively. Ninety-four percent of respondents said their employer has expressed interest in or is likely to invest in managed services in order to fulfill their security needs.
Anthony Israel-Davis summarizes this predicament and offers a solution in his blog post:
Security teams are talented, but there are only so many balls they can keep in the air by themselves when they have a distinct lack of resources. One way to keep those balls from hitting the ground is automation. And when it comes to cyber security, this can mean bringing in managed services. A managed services partner can take on many of the administrative and monitoring tasks that fill up the hours of a security analyst’s day. These teammates allow small teams to focus on their strategic objectives and provide valuable expertise to bolster core security staff.
You can read the full report from the survey here.
In the meantime, click here to learn more about how Tripwire can help your organization do more with less in light of the ongoing skills gap.