It doesn’t really matter where you look, there is no denying the difficulty in staffing up and retaining a qualified team of security players. Whether you read Steve Morgan’s analysis at Cybersecurity Ventures or the numbers from the team at the Center for Strategic and International Studies ( CSIS ), there is a 7 figure gap in our industry’s ability to provide the skilled security resources that organizations require. And the challenge gets tougher. Tech Republic reports that 84% of cybersecurity workers were looking to switch jobs back in 2018, and there is no reason to think that the trend has improved.
In this high paying and high demand profession, it seems logical that there would be job satisfaction and a growing cadre of highly experienced individuals helping to train the next wave of analysts and advisors. Unfortunately, the demands of this job can be pretty high. The Information System Security Association ( ISSA ) and the Enterprise Strategy Group ( ESG ) have researched burnout among security players, and the numbers are high, with 47% reporting that they are only somewhat satisfied, for a variety of reasons.
I think that the way out is through well-defined, clearly understood, third-party care. I’m not suggesting a move where organizations abdicate responsibility for their security posture and write checks that purchase deniability and absolution. Instead, I believe that the unique dynamism and scale of security challenges cry out for specialized services and capabilities.
We often talk about cybersecurity through the use of medical metaphors, like viruses and infections. Let me give you another one: hospitals. Few, if any, individuals currently maintain their own full time doctors. They definitely don’t maintain a stable of every type of specialist they may need, and they probably have neither the specialized equipment or technicians necessary to scan for cancer, broken bones, or high cholesterol. They may have a personal trainer, but for advice on treating a chronic condition, and the prescriptions they will follow, will come from some well-organized, very focused health care organization. This is because a hospital, clinic, or large practice, is comprised of individuals who are only thinking about medicine. They are looking for new illnesses, best practices in treatment, and they are there to handle urgent requests for help when the need arises.
How like modern security is all of this. Security has been an area that required constant research and attention since the advent of pervasive internetworking in the mid-1990’s. Since then, the need to keep up, specialize, and purpose-build infrastructure has been driven by the de-perimeterization of networks and controls, the expansion of application development on new platforms, and the introduction of the new security challenges associated with digital transformations and the cloud. As a result, managed security providers are growing rapidly. They can attract the security resources that want to work among like-minded teams. They want to be rewarded for thinking of security first, not shunned. They want to learn and grow, to be the object of investment in their advancement and improvement. Non-security organizations can’t provide these options, and so I think that more and more talented security resources, particularly those in the first decade of their career, will gravitate to security services, and the organizations that need the skills, will look there as well.
I’m speaking this week to an audience of very experienced CIO’s, looking to understand both the technical and human challenges of our changing security landscape. I’ll be painting a positive picture of improving cooperation, technology, and detection, but I’ll also be highlighting the real challenges of trying to do everything themselves. At some point business reality and market efficiencies start to tilt the balance away from doing it themselves, and towards segmenting duties and looking for some help. I’ll be interested to see how they see it, and to see how many have already done the math and are just trying to understand when—and how—to move.