Another report was just released that points out a critical challenge for CSOs and CISOs. Most concerning is that this challenge has been shown to contribute to cybersecurity incidents.
I ran across a new report that is well worth reading and sharing with others in your organization. This report is not about a new vulnerability, scam, malware or hacking campaign. It is about issues that are far more difficult to solve.
This report highlights today’s shortage of cyber security resources. This twenty-four-page report was produced by Intel (McAfee) and the Center for Strategic and International Studies (CSIS). The report focuses on the current state of cyber security resources in eight countries and includes a fair amount of supporting data.
Countries participating in the modeling.
• United Kingdom
• United States
There are two key points in the report that should be highlighted. First, figure 5 of the report indicates the 35 percent of respondents said that “We can’t maintain an adequate staff of cybersecurity professionals.” This is not a new issue by any stretch. Two years ago the Rand Corporation published a study on the shortage of cybersecurity professionals and stated that it poses a risk to national security (Link http://www.rand.org/news/press/2014/06/18.html). The talent shortage has been known for several years and the problem has still not been solved. Even more concerning is that the demand for cybersecurity practitioners has and will continue to increase as we add billions of IoT (Internet of Things) devices, connected cars, wearable computing and smart cities.
Now add to that issue that it will take years to complete the current training. Once the initial training is completed let’s not forget the workforce will need continuous refreshing of their knowledge and skills in order to maintain their proficiency. Given the continuous change that is taking place in the cyber environment, this will be no small challenge. If that does not look like a big enough challenge take a look at figure 10 of the report. It indicates less than 1/4 of respondents believe education programs (universities or vocational) are fully preparing cybersecurity professionals.
The cybersecurity industry, and governments for that matter, have known about this problem for years and yet the problem still exists. In fact, the issue is getting worse from my vantage point. So just how do you plan to protect the growing information assets of your organization from the growing number of cyber threats until additional resources become available? This is a national security issue and that is not an overstatement. A well thought-out strategy is needed ASAP. That must be followed by flawless execution of that strategy if any relief will be seen in the next two to four years.
Here are a few recommendations. First, get with your local colleges, universities and trade-schools and work with them on a program that meets what is needed currently to be a cyber security practitioner. Second, speak to potential students – help recruit cyber security students for the schools. Third, work with schools to continuously infuse information about new cyber threats into their course loads.
A 2015 survey of more than 3,400 ISACA members in 129 countries determined that 86% of respondents see a global cybersecurity skills gap (http://www.isaca.org/pages/cybersecurity-global-status-report.aspx). That gap just increases the exposure every organization faces and even puts you the CSO and CISO at risk. Fourth, work with your human resource department to offer an apprenticeship or internship to further prepare the students to enter this extremely challenging field.
Finally, recognizing that you are competing for these resources. Cisco examined this problem and puts the global number of cybersecurity job openings at one million. Michael Brown, CEO at Symantec, stated that the projected shortfall of 1.5 million in 2019. This is one of those challenges that should be raised as a concern to executive management. They need to be aware of this critical issue and work with you to make sure your resource needs are met.