[Posted on Behalf of Dennis Leber Cybersecurity Executive | CISO | Board Member | Educator | Speaker | Author]
Cyber-Security Skills Gap
Recent events have brought attention to cyber-security, and the need for highly skilled, and trained cyber-security professionals. Events such as the data breach of Target, which exposed 40 million credit and debit cards, resulted in 70 million records being stolen that included names, addresses, email addresses, and phone numbers, and resulted in over $200 million in cost for credit unions and banks to reissue 21.8 million cards. This breach cost Target $100 million to upgrade their payment terminals, and 1 to 3 million cards were successfully sold on the black market which resulted in approximately earning the hackers $53.7 million dollars. (“The Target Breach: By the Numbers”, 2014)
The shortage of cyber security professionals was highlighted in the Target case. At the time of this breach Target did not have a Chief Information Security Officer (CISO) or Chief Security Officer (CSO). (Target’s Chief Information Officer Resigns, 2014) In a recent research conducted by RAND National Security Research Division, Libicki, M., Senty, D. & Pollak, J. (2014), found that there is a shortage of cyber security professionals both inside the US Government and the private sector. This report further found that these shortcomings were larger at the top of the capability scale.
An overwhelming theme with these studies is the mention of the shortage of cyber-security professionals, and that the shortage is due to a lack of skills possessed by individuals to fill these shortages (Libicki, 2014) with the mention of a skills gap there is never a solid definition of these skills. It is the identification of these required skills, and the development of programs to aid IT professionals in becoming proficient in cyber security that will turn the tide, and begin to fill the numerous open positions.
The driving articles and theories that inspired this article are studies conducted by RAND National Security Research Division, Libicki, M., Senty, D. & Pollak, J. (2014), research conducted by the company Enterprise Strategy Group (Oltsik, 2014)
Some of the highlights from the RAND presented key findings:
Shortages occurred at the high end of the cyber-security workforce. This includes the top 1 to 5 percent of the cyber-security professionals. This shortage exists in the workforce that requires more than a base set of competencies.
Larger organizations have overcome these shortages through internal promotions, education, and focused training. This is directly related to the available budget to invest in these programs. It was also determine that smaller firms simply cannot afford to take this approach and loss talent to the bigger, well-funded firms.
Organizations have identified some personality traits such as the curiosity of how things work or fail as an indicator of success in cyber-security.
Academia organizations have raised to the challenge of training cyber-security professionals, and done a good job of staffing qualified professors addressing individual niches in the IT industry.
The ESG key findings are:
30% of organizations said that their network security staff skills are inadequate
44% of organizations stated that the networking/security staff with strong knowledge in both security and networking is inadequate
38% of the organizations stated the ability of the staff to keep up with security changes is inadequate
37% of organizations stated the security staff is inadequate in keeping up with the threat landscape
47% of the organizations stated a shortage in network security staff
The shortages in cyber-security professionals; which recent breaches across various industries have highlighted, continues to demonstrate the need for specialized focus on cyber security, and investment in cyber security programs. This includes training for professionals, investment in solutions, and resources. These facts demonstrate that these investments need to be made at the top of organizations.