Talent Crunch Haunts Enterprise Security

Demand for information security experts has grown 3.5 times over the last five years, reveals a study

IFM Correspondent

June 16, 2015: With technology no longer restricting itself to only IT companies, organisations are increasingly facing the risk of cyber attacks. Over the years, there has been an increase in the number of malware being released into companies and economies.

Malwares are basically malicious codes that will cause abnormal behaviour in your computing devices. It includes viruses, worms, Trojan horses, spams, rootkits and backdoors. Malwares are used not only to disrupt business operations but also steal information or prepare for an imminent attack.

With hackers continually evolving their attacks, organisations are facing a tough time. To add to their woes, there is a shortage of skilled professionals to protect a business’s assets and maintain continuity. Not surprisingly, according to the (ISC)² Global Information Security Workforce Study (GISWS) 2015, the demand for information security experts has grown 3.5 times over the last five years. There is a global shortage when it comes to hiring the right person for enterprise security.

“The year 2007 was the first time when demand for enterprise security talent outpaced the supply. Cisco says that at any given point of time, there is a supply of 600 security personnel as opposed to 1,000, making the delta a worrisome number,” says Bhavya Sahni, marketing head, Mettl,  an e-assessment software for recruitment, training.

The talent crunch being faced by the security space is unique to this industry. Globally, client IT teams do not have the confidence in the integration capabilities of the development team at enterprise security organisations. Enterprise security organisations thus have to possess an army of developers, which can instill confidence in client teams that they are capable of strategic integrations. This can only be possible once talent works across verticals and industries. Increasing exposure for enterprise security talent to multiple business intelligence software is the only way forward, remarks Sahni.

Quoting a Frost and Sullivan survey, Clayton Jones, managing director, Asia-Pacific, (ISC)², says that situation in China and Japan seems to be worse compared to other countries. “In the 2015 study, we found that signs of strain within security operations due to the workforce shortage are materialising while companies and organisations are increasingly struggling to manage threats, avoid errors and are taking longer to recover from cyber attacks,” Jones says.  This shortage is hardly static.  In 2013, the percentage of security professionals reporting “too few” information security professionals was 55.9%, 6.3 percentage points lower than the 2015 survey.

What needs to be done

“Companies need to impart proper training programmes that lead towards globally recognised certification.  These courses offer a structured education development roadmap and there are continuous education opportunities,” says Aloysius Cheang, Managing Director, Cloud Security Alliance, APAC.

Many firms also work with local institutes to train future cyber security leaders. “Blue Coat is actively working with local institutes and organisations to equip the next generation of cyber security leaders, both in government and private industry. That said, the talent crunch will exist for some time,” says Matthias Yeo, CTO for Asia Pacific, Blue Coat Systems, a provider of security and networking solutions based in California.

Chuan-wei Hoo, CISSP, Technical Advisor, Asia-Pacific, (ISC)²,  feels that the profession must invest in the future and offer entry-level pathways. “New disciplines must be recognised and the resources needed should be put behind them. However, companies cannot do it alone. This calls for a societal response, which is beginning to happen, but not at the rate that is required to stay ahead of threats. It requires all parts of society to respond to this need.”

Things to do

• Business disciplines need to embrace security concerns, especially when it comes to technology adoption rates. Security by design will be the differentiator

• Watch for complacency in awareness. Delivering awareness training isn’t enough–it must be imbedded and contextual  so people can recognise accountability

• Governments must invest more, recognise that cyber security and the health of their economies are intrinsically linked

Long way to go for firms

• Many organisations have an unstructured or “ad hoc” approach to the malware containment process with no one person or function accountable. It reveals that while 67 percent of respondents report they have some type of structured approach to malware containment, 33 percent have an “ad hoc” approach
• Organisations are also aware that any measure adopted is only detective in nature and not totally preventive. A reality that is sometimes hard to comprehend at the board level. Nevertheless, the current state of preparedness is still better than not doing anything. The next paradigm organisations need to look at will be advanced analytics to counter malware, or some form of predictive security

[International Finance Magazine]