When it comes to IT security, the biggest risk to an organisation isn’t in the technology itself; it’s having staff with the right skills to stay on top of things and create a strategic approach to risk reduction. Throughout this article you’ll find references to a number of recommendations and the pros and cons they bring to the business.
According to the Frost & Sullivan 2015 (ISC)2 Global Information Security Workforce Study – a study of around 14,000 organisations from around the globe – the number of organisations lacking the security skills necessary to protect their IT assets and information has increased by six per cent, from 56 per cent to 62 per cent, in two years. At the current rate of growth, three in every four organisations will be vulnerable from a lack of skilled security professionals within the next four years.
The report goes further to describe the impact the skills shortage is having on business long-term. Very few organisations have the opportunity to think strategically about IT security and creating a properly nuanced and forward thinking risk reduction strategy is just a pipe dream. Instead, overworked and understaffed IT security teams are trying to put out daily fires and clean up the damage after an attack.
With the exponential growth in new threats and increasingly organised criminal organisations, IT teams are only going to have more pressure placed on them. This situation is creating a great deal of workforce churn – as any high-stress working environment will – and the costs of re-hiring or re-training staff during such a severe skills shortage is yet another headache that modern business, of any size, will need to grapple with.
An article on ITNews recommended that industry bodies and organisations should address these challenges by broadening the certifications that an individual should have for a company to consider recruiting him or her. Part of the problem is that it is difficult for naturally talented security professionals, such as aspiring coders right out of high school or university, to obtain the certification they need for a company to even look at their application. By changing the mindset of recruiters to find security tasks that these individuals can still complete, the most urgent need to grow internal IT teams could be met.
While this is a worthwhile suggestion, it is very much a band-aid solution that would help with the day-to-day efforts to put out fires, without addressing the underlying issues around the lack of high level IT skills organisations need to be able to approach security strategically.
This problem can be addressed by passing on some of the security responsibilities to service providers that write security into their SLAs. For these companies, security is core to their business model, so they recruit the finest security minds in the industry and give customers access to that expertise. These additional security resources might not be able to replace an organisation’s internal security team, but it will certainly act as an additional resource to soften the burden.
Further to that, the service provider’s role as a partner can help facilitate strategic level thinking within an organisation. For the majority of companies out there struggling to build a comprehensive and forward-thinking security risk management strategy, having trusted experts from outside the organisation looking into the IT infrastructure will prove to be the quickest and most cost effective way to achieve this.