As part of the ESG annual IT spending intentions research for 2020, respondents were asked to identify the area where their organizations have a problematic shortage of skills. Cybersecurity topped the list of problematic skills shortage areas, just as it has for the past 9 years.
What’s interesting is that 44% of respondents selected cybersecurity in 2020, down from 53% in 2019 and 51% in 2018. Does this mean that the cybersecurity skills shortage is improving? I don’t think so. After living with the cybersecurity skills shortage for many years, CISOs understand that they can’t hire way out of their problems. Therefore, many security executives are addressing the pervasive talent shortage by:
- Experimenting with new types of analytics. According to recent ESG research, 51% large mid-market (i.e., 500-999 employees) and enterprise (i.e., 1000+ employees) organizations are using analytics based upon machine learning algorithms today. When asked why, the top responses were to improve detection of advanced threats, accelerate security investigations, and better identify cyber-risks. So, CISOs want machines to crunch and analyze more data and help them improve security staff productivity. We are still early on in this endeavor, but I see signs of improvement already. For example, the 2020 version of user and entity behavior and analytics (UEBA) tools can run circles around those of a few years ago and will only get better moving forward. Machines simply must do the heavy lifting here – human beings can’t keep up with the scale.
- Embracing automation. As one CISO said to me recently, “If I can create a runbook for a security process, I ought to be able to automate that process.” I’m seeing this type of behavior more and more with security operations. A few years ago, many organizations automated obvious processes like phishing investigations but now they’ve moved on to formalize, document, and then automate a greater number of tasks. In many cases, hours of tedious work have been reduced to minutes, helping organizations gain more scale out of their security teams. This trend will accelerate in 2020, leading to a big year for SOAR (note: I hate the term SOAR).
- Extending their teams with professional and managed services. Of those organizations that have a problematic shortage of cybersecurity skills, 73% will increase usage of third-party services to help them dig their way out of this personnel hole. This increase applies to managed and professional services alike. Many CISOs I talk to are applying a portfolio management to cybersecurity by going through all their responsibilities and deciding which ones to keep in house, which ones to outsource, and which ones they just need a little help with on-demand. It’s pretty much a given that nearly every organization needs help with cybersecurity, creating a tremendous demand for services – a great opportunity for Accenture, AT&T, IBM, Verizon, etc.
- Investing in training. Nearly one-third (32%) of organizations plan to increase cybersecurity training for the security and IT staff in 2020. Cybersecurity professionals can benefit from continuous education, making them more effective and productive at their jobs. Note that IT personnel are also participating – good news, as cybersecurity should be everyone’s responsibility.
- Consolidating security technology. Recent ESG research indicates that 77% of organizations are actively consolidating the number of cybersecurity vendors they do business with. In other words, CISOs are spending more money with fewer vendors and moving away from stand-alone point tools toward integrated security architectures with central management and distributed enforcement. This can help streamline vendor management and customer support while introducing things like common UI/UXs for security that the staff can better learn and operate.
Despite years of publicity, I believe the cybersecurity skills shortage is worse today than it was nearly a decade ago when ESG started researching this topic. Yes, supply has gone up a bit, but demand has risen much faster. The only way to address this is with smart coping techniques like those described above. If you can think of other successful methods, let me know.