A shortage of cybersecurity expertise is a time-honored topic in the tech world, but research by one industry analyst suggests the issue is more complex than most people think.
It's clear that SecOps pros are increasingly short on time to do their jobs, as cloud-native infrastructure grows more complex and cyberattacks become increasingly sophisticated. According to S&P Global's "Voice of the Enterprise: Information Security" survey, now in its 10th year, SecOps managers said they were aware of but unable to investigate 43% of alerts they received through security operations center (SOC) tools.
It's a number that has remained consistent over the years, according to Daniel Kennedy, principal research analyst for information security at S&P Global Market Intelligence, who has overseen that research since the beginning. But while some industry watchers attribute that trend to a lack of cybersecurity expertise in the workforce, Kennedy takes issue with the notion of an across-the-board skills gap.
"We can't lose sight of the security operations manager saying, 'Yeah, I don't have the people to investigate this,' as a very reasonable problem," Kennedy said in an episode of Informa TechTarget's IT Ops Query podcast. "[But] some of it is the expectations we're putting on security teams to maintain posture while at the same time constraining resources."
Daniel Kennedy
Like business continuity, executives frequently consider cybersecurity a kind of insurance policy, and the memory of critical incidents tends to fade over time, making employers less willing to invest in larger, more skilled SecOps teams. It can also be difficult for new SecOps pros to cultivate the interdisciplinary skills they need to advance from an entry-level position to one with intermediate skills demands, Kennedy said.
"The idea of security as an entry-level position always seems difficult to me, and the idea that you're going to start in a SOC and work your way up," he said. "Some people are going to do that … but I don't know that that's a great established path to walk. Most folks are better served starting out as programmers, like I was, or developers, something like that. Because it's a second-tier career, it's hard to create new security professionals."
Because it's a second-tier career, it's hard to create new security professionals.
Daniel KennedyPrincipal research analyst, S&P Global
These and other issues can feel like history repeating, especially over a decade, Kennedy said. Other cyclical themes in his SecOps research include time-honored debates about best-of-breed versus end-to-end platform tools, recently reignited by last year's CrowdStrike outage. Another is a lack of awareness of cybersecurity risks in critical infrastructure such as power and water utilities. Regulatory change, which can be an effective reinforcement for best practices in such areas, is often bogged down by lobbyists, partisan infighting and a lack of cybersecurity expertise among lawmakers.
However, Kennedy said his research also offers reasons to be hopeful about the future of SecOps.
"The percentage of folks saying, 'We could identify a breach in our cloud based on our own security monitoring infrastructure' has improved over time dramatically, and from 2015 to 2024, the percentage of folks thinking that the cloud provider somehow just takes care of this has gone down," he said. "If I'm asked to give people encouragement, that's my encouragement: Security is working more effectively with other teams, and certain long-term problems are getting better, even if it seems like they are not."
Beth Pariseau, senior news writer for Informa TechTarget, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.
Daniel Kennedy
