The global cybersecurity skills shortage continues to be a critical issue. For example, ESG research found 45% of organizations report a “problematic shortage” of cybersecurity skills today, more than any other area within IT.
Want more? Here are a few tidbits from last year’s research project done in conjunction with the Information Systems Security Association (ISSA). In a survey of 437 cybersecurity professionals and ISSA members:
- 29% of cybersecurity professionals said the global cybersecurity skills shortage has had a significant impact on their organization. Another 40% said the global cybersecurity skills shortage has impacted their organization “somewhat.”
- When asked to identify the impact of the cybersecurity skills shortage:
- 54% said it increased the cybersecurity staff’s workload
- 35% said their organization had to hire and train junior staff rather than hire people with the appropriate level of experience necessary
- 35% said the cybersecurity skills shortage has created a situation whereby the infosec team hasn’t had time to learn or use its security technologies to their full potential
While the cybersecurity skills shortage endures, the industry itself remains white hot. According to a recent Bloomberg business article, the cybersecurity industry is expected to grow about 7% a year through 2019 to reach $46 billion in valuation.
Coincidence? I think not. Cybersecurity is a people-intensive, highly skilled discipline, so it’s safe to assume the lack of qualified professionals, as well as the overwhelming workload of employed cybersecurity folks, is a root cause of the perpetual wave of security events and data breaches. Likewise, these security incidents are driving financial growth and opportunities in the cybersecurity industry.
Fat cats on Wall Street and Sand Hill Road are making good money on cybersecurity; however, it’s important to understand that the cybersecurity skills shortage giveth and taketh away. Just look above at the ESG/ISSA data: 35% of survey respondents said their cybersecurity staff is so busy—that it doesn’t have the time to use cybersecurity technologies to their full potential!
CISOs are living with the cybersecurity skills shortage and adjusting accordingly. In fact, smart CISOs take the skills shortage into account with every decision they make. What does this mean for investors, VC-backed startups and security technology vendors?
1. Ease of deployment, ease of use, and time to value have become cybersecurity table stakes. While cybersecurity technology will never be a “set it, and forget it” domain, CISOs will buy only products that can be deployed, configured and utilized quickly. VCs should walk away from anything that demands custom configurations, long assessment and deployment projects, or in-depth user training.
2. Solutions should include services. For example, several great threat intelligence platforms (TIPs) are available today, but only elite organizations know how to build a world-class threat intelligence program to benefit from these tools. Threat intelligence vendors (i.e. Anomali, Flashpoint, RecordedFuture, ThreatConnect, ThreatQuotient, etc.) should work with service providers that offer training, project management and deployment services for threat intelligence program. Remember, too, that most organizations don’t have the experience or staff size to take this on themselves. That means staff augmentation services, SaaS offerings and MSSP services will dominate a skills-challenged market for threat intelligence analysis and many other areas of cybersecurity specialty.
3. Baked-in automation, intelligence and orchestration should do some heavy lifting. There are simply too many things to do (i.e. investigate alerts, scan for software vulnerabilities, remediate risks, etc.) for current cybersecurity teams to keep up. New technologies must pitch in with improved intelligence to help identify and contextualize real problems, reducing analysts’ time for investigations. And new tools must automate and orchestrate processes to address the complexity of today’s manual infosec tasks. Think of automobile manufacturing before and after Henry Ford—that type of quantum improvement is needed for cybersecurity today.
4. Think architecture. Just as Marc Andreessen predicted, software is eating the world, and cybersecurity is no exception. In fact, cybersecurity tools are moving into a software-defined paradigm that ESG calls a security operations and analytics platform architecture (SOAPA) where each tool adds its own unique value while becoming a part of a greater system. New technologies must be designed to stand on their own and contribute to a greater whole.
The global cybersecurity skills shortage and the increasingly dangerous threat landscape show no signs of abating. Therefore, the only way to move ahead is to create new technologies that can bridge both gaps. Investors who understand the ramifications of the global cybersecurity skills shortage will prosper financially, while creating companies and technology solutions that truly deliver value to the market.