IT leaders can’t find enough capable security professionals to cope with the rapidly growing volume and sophistication of modern cyber-threats, despite employing more infosecurity pros today than they ever have, according to new research.
Security vendor Lieberman Software polled 200 IT security professionals at April’s RSA Conference 2015 in San Francisco, and found that few were coping adequately with the current threat landscape.
The majority (67%) said they were now employing more security staff than they ever had in the past, but over three-quarters (76%) claimed attacks are evolving at a pace faster than their white hats could cope with.
The problem appears to lie with the difficulty many have in finding suitably experienced professionals to recruit.
Some 85% said it was difficult to find good candidates.
The findings are echoed in the latest biennial (ISC)2 Global Information Security Workforce Study, out earlier this year.
It found the number of (ISC)2 members claiming there were “too few” information security professionals had risen from 55.9% in 2013 to 62.2% this year.
Particularly badly hit sectors were healthcare and education (both 76%), retail and wholesale (74%), and manufacturing (71%).
ESET security specialist, Mark James, claimed the main problem with IT security as a profession is that practitioners are expected to know everything right from the start.
“Unlike a plumber or an electrician that can often start a career with a set amount of training to be competent on the job and learn the finer points as they go, sadly IT security is an ever-evolving industry and people expect results at the start,” he told Infosecurity.
“The industry wants to employ an expert from the outset; he or she is expected to arrive and immediately start identifying all the problems and how to fix them. Of course there are a number of people out there that are capable of doing this but we would have a lot more if we helped train some of the less experienced personnel.”
He added that the best security professionals need a broad range of skills including psychology and sociology – not typically associated with those who go in for science/computing degrees.
“It’s often a long term investment and results can be misleading, if you employ an IT security professional and never have a problem, is that because he or she is good at what they do or are you just lucky that you’re not a target?” he argued.
“Lack of funds and the industry’s believing they will not be a target only stems the flow and development of our next generation defense against the dark arts. We need to start right now, employ the right people with the right skill set and teach them the importance of protecting our most sensitive software, data and systems.”
Amichai Shulman, CTO of Imperva, added that skills shortages are endemic across the IT industry.
“Demand is growing much faster than availability,” he told Infosecurity by email.
“The way I go about this when looking for employees is to start with ‘skilled IT professionals’ and mostly replace ‘security’ with ‘curious, open minded and eager to learn’.”