The annual RSA Conference is no stranger to discussions about the security workforce shortage. The theme continued this year, with multiple ways being proposed to address the problem. Examples include increased use of managed security services, automation, and government-driven initiatives to provide more candidates with the right aptitude and attitude to work in cybersecurity.
More than 2 million open vacancies require a change in thinking
At the RSA Conference in San Francisco, one of the recurring themes was around the security workforce. Many organizations – public and private sector, technology companies, users of security technology – find that attracting and retaining security staff within budget is a huge challenge. Staff frequently move around, tempted by another $20k from the next company down the road, alongside the promise of a "more exciting" place to work.
Globally, the workforce shortage is estimated at over 2 million open vacancies. Given the constantly evolving cyberthreat landscape and the need to mitigate the risks associated with these threats, this shortage is only likely to increase.
End-user organizations with shallow pockets tend to suffer the most here. Security is often reactive in these enterprises, boxes are ticked in support of compliance, and harassed individuals can struggle to see a career path. The temptation of other jobs can be too great for some and the resulting vacancy can be extremely difficult to fill.
As such, we are seeing increasing numbers of enterprises turning to services to support some or all of their organization's security needs. Some security technology vendors, traditionally having sold products to these enterprises, are now expanding their offerings to include delivering their product as a service – a trend we will explore further in Ovum.
Still, service providers and security technology vendors require staff with the necessary skills and expertise to maintain and develop their products and services. To this end, organizations such as the Industrial Development Authority (IDA) Ireland are working with major security technology vendors and other large employers in the focus areas of Dublin, Cork, and Galway to set up Cyber Ireland. This initiative is designed to build graduates that fit the needs of enterprises, with the upskilling of current and potential new employees so they are better prepared to work in various aspects of cybersecurity.
One other approach to the workforce shortage in cybersecurity is increasing amounts of automation in security products, freeing up employees from mundane tasks (e.g., dealing with false positive alerts) to undertake more valuable work. The conference had plenty of evidence of this, and again Ovum will explore this further in more research to come.
2019 Trends to Watch: Cybersecurity, INT003-000295 (December 2018)
Cybersecurity for Digital Government Leaders, IT0007-000952 (November 2017)
"Increasing automation in cybersecurity will not make humans obsolete," INT003-000233 (September 2018)
"Will 2019 bring better security news?" INT003-000312 (January 2019)
Maxine Holt, Research Director, IT Infrastructure