Great news: If you're a security professional, your skills have never been more in demand. On the flip side, if you're looking for security talent, the search will likely be lengthy and difficult.
ISACA predicts that by 2019 there will be a shortage of two million cyber security professionals globally. And in a survey released by ESG and ISSA in November 2017, 70% of respondents stated that security skills shortages were impacting their organization. The survey also highlighted that highly-~~ ~~experienced staff were overloaded dealing with urgent security events that left them little time to focus on security strategy or training.
"As a medium-sized business, the security skills shortage poses a challenge for us as global tech brands and financial institutes take large parts of the talent pool out of the market," says Daniel Schatz, Chief Information Security Officer at Perform Group. "One consequence of this is a market with candidates who may not yet have the required skills or experience, but who are able to stipulate astonishingly high salaries due to the demand."
"For us, it is a constant process to balance the need to fill security roles with a pragmatic look at the talent in the market. The key is to find people who are passionate about what they do in information security and what we do as a company," continued Daniel Schatz.
The security skills shortage has not gone unnoticed by government agencies worldwide.
In 2016, the UK government stated that it planned to invest $2.5 billion in improving the country's cybersecurity defenses, with some of this funding allocated to training new security professionals. Additionally, in an attempt to encourage young people to pursue a career in security, the government launched the Cyber Schools Programme to teach 14-18 year olds the basics of security: programming, forensics, cryptography, and more.
In May 2017, the US government signed the Cybersecurity Executive Order~~,~~ which, among other initiatives, calls for the Director of National Intelligence to deliver a report identifying how the country will improve the skills of the security workforce.
The Australian government, too, has created a cybersecurity strategy revolving around collaboration among government, private businesses, education providers, and the research community to create centers of excellence in universities in order to increase the number of qualified security professionals.
In a recent article by Jay Coley, Senior Director of Security Planning and Strategy at Akamai, outlines how the dramatic decline in the number of students studying the science, technology, engineering, and mathematics (STEM) fields has contributed to the security skills shortage.
In my view however, this is not the only factor that has contributed to the skills shortage. I posit that there are three other drivers.
First, technology has evolved at unprecedented speed in the last ten years, transforming nearly every aspect of business. In the past, you had a data center that ran your business applications, and the vast majority of users sat in a local office and used an on-site PC to access applications. This homogeneous structure made it relatively easy for a business to protect itself by building a robust, fixed perimeter. But now, applications and data live in the cloud; users access workloads from smartphones, tablets, and laptops from anywhere, at any time; and many of these devices are not managed or controlled - or even owned - by the company. This seismic shift creates new security vulnerabilities and exposes new attack surfaces.
Second, the threat landscape has transformed significantly. Businesses now face a tsunami of ever-evolving threats that are created and executed on an industrial scale. These threats are sophisticated and targeted, and the cyber criminals behind these attacks are persistent, patient, and highly incentivized. Add to this the fact that an entire ecosystem has developed that enables malicious actors to build, deploy, and monetize malware and ransomware even further. Malware-as-a-service (MaaS) and ransomware-as-a-service (RaaS) are readily available, cheap to purchase and download, and openly advertised on popular sites.
Third, the changes in technology and business practices, along with the industrialization of threats, have created a myriad of new security products and services for companies to deploy to improve their security posture. While an overall positive, this influx also brings much complexity. In the old world of a strong~~,~~ but static perimeter, a company likely had a firewall and endpoint security. Now, one business might employ secure web gateways, cloud-accessible security brokers, data leakage protection, intruder protection and detection, mobile device management, identity management, and more. That's a convoluted number of technologies to deploy, manage, and plumb together. And, the products themselves have become more complex; a market-leading secure web gateway now typically requires a week of intensive training to become proficient, for example.
When you look at the confluence of these three drivers, it's clear that modern businesses need bigger security teams with a broader skill set. Combine this with the decline in STEM studies, you have a perfect storm.
In early 2017, Akamai's IT team piloted our newest security product, Enterprise Threat Protector, on its own corporate network. Enterprise Threat Protector is a cloud-based security service that uses recursive DNS as a control point and leverages the threat intelligence garnered from Akamai's unparalleled view of the internet. In a nutshell, Enterprise Threat Protector looks at all DNS traffic on the network and determines if requested domains are safe or malicious. If a request is malicious, the user gets a block page; if it is safe, the request proceeds as normal. This comprehensive protection can be configured and deployed globally in minutes - all that is required is a simple change to the existing DNS setup.
Our internal IT team was astounded by the significant and quantifiable benefits delivered by the service during a very controlled trial that lasted from March to May 2017.
The benefits included:
"Saving 0.75 of an FTE by deploying Enterprise Threat Protector has allowed us to free up resources to look at other important security projects that were being delayed due to the workload of the team," says Keith Hillis, Director of Enterprise IT Risk and Security at Akamai. "Enterprise Threat Protector is such a simple and straightforward service to manage that we can use less-experienced members of the team to do the little ongoing management work that is needed week to week." Watch the full interview with Keith about Akamai's use of the product here.
For more information, read the full Case Study: Why Akamai Uses Enterprise Threat Protector and visit www.akamai.com/etp.