When people say there’s a security skills gap, this is what they really mean.
Incident Investigation and Security Analysis
As organizations drown in alerts and try to figure out a way to prioritize incidents for investigation, automation will play a huge role in stopping the insanity. But that won’t ever replace the importance of smart people to direct the automation, and follow up with human intuition and foresight to move investigations forward and mitigate the root problems. According to a recent study by ESG on behalf of ISSA, the roles that enterprises have the most difficulty filling are those involving incident investigation and analysis. That figure is validated by CompTIA, which also found that skilled security analysts are the hardest-to-find security specialists in today’s market.
Cloud Security Wisdom
With organizations increasingly moving their development activities, data and even application workloads to the cloud, they need security practitioners who know how to secure complex hybrid environments. According to one survey by Intel, 93% of organizations at this point use cloud services in one form or another and 62% store sensitive information in the cloud. Yet, just under half say that their effective use of the cloud is stymied by a lack of cybersecurity skills in this arena.
Dark Reading’s 2017 Security Staffing Survey shows that most people in charge of hiring security talent believe there is at least some kind of skills shortage on the market. Some of the biggest shortages are not necessarily specific to roles or technical competencies but instead a familiarity with the kind of business they are trying to protect. According to the survey, nearly three times as many hiring managers look for people with experience in defending organizations similar to their own than they seek a formal education in cybersecurity.
This de-emphasis on formal education seems to be a common theme picked up in cybersecurity workforce surveys. A recent survey conducted by ISACA reconfirmed it, as survey respondents reported that their biggest concern is finding people who not only know a lot about security but who have put that knowledge to the test in the real world. That hands-on acquisition of skills easily beat out formal education, special training, and certification by a significant margin.
As DevSecOps drives organizations to be more collaborative, security personnel at all levels must increasingly learn to play nicely with others in IT and beyond. Dark Reading’s 2017 Security Staffing Survey found that over half of IT pros believe the most in-demand skill in filling security roles are technical people with soft skills, like communication.
By rights, security professionals should be working as internal consultants to help organizations minimize risk as much as possible while still carrying out the kind of digital transformations that will enable them to stay competitive in the app economy. A recent CompTIA report found that the number one biggest overall IT skills gap category that is impacting digital transformations is the one having to do with aligning technology with business objectives. If security professionals are going to act in that consultative role, they need to understand both general business principles and the specific business concerns unique to their organization.