Companies around the world will face a shortage of almost 3 million professionals in the field of IT security during the next few years. In the Europe, Middle East and Africa (EMEA) region, the gap currently amounts to 142,000 experts. As shocking as that number is, it is dwarfed by other regions. North America is looking at a gap of nearly half a million professionals, while Asia tops the list at 2.14 million. These figures come from of a survey among the members of the (ISC)2, the largest certification organization for information security in the world.
The Global Information Security Workforce of 2018 study also shows that 59 percent of companies around the world are unsuccessful in their attempts to hire qualified employees. The most sought-after experts are in the fields of security awareness (58 percent), risk assessment, analysis and management (58 percent), security administration (53 percent), network monitoring (52 percent), and incident investigation and response (52 percent).
This problem of finding qualified security professionals is magnified as security measures, including secure coding, data encryption and access control (roles and rights concept), must now be incorporated into services and products as early as the product idea stage. The retrospective addition of security measures practiced in the past has been notoriously insufficient.
Increase in the lack of specialists
IT tasks have also been multiplying for years for a multitude of reasons, including constantly evolving cyber threats, while personnel levels have not shown the same increases.
The challenges are becoming even more complex when it comes to the administration of software and hardware, not to mention the natural development of shadow IT. Furthermore, companies have to manage the growing number of devices attempting to access the network due to BYOD policies. And, the fields of DevSecOps and microservices have also appeared on the scene and must likewise be integrated into existing security strategies.
All of this requires internal resources as well as the costly expertise of external consultants. For example, specialists from the fields of mobile security, cloud security or cryptography are needed to handle specific requirements. This specialist knowledge is acquired through advanced training and education. But companies find themselves with a staff shortage while these experts are getting up to speed on company-specific products and processes. The high degree of specialization needed today makes it difficult for companies to engage the right employees as they compete for the brightest minds in a virtually empty market.
Automation as a solution approach
Many day-to-day IT security tasks can be automated, which presents an opportunity to mitigate the lack of specialists. Patch management, the management of digital machine identities and password management are just a few examples. But the whole of IT, in general, and the administration of IT security solutions, in particular, are not the only tasks where automation can provide support for IT security experts. There are a wide range of security services where manual work can be automated, providing the company with greater security. However, this automation should also be accompanied by real-time information about the security status of the company.
For the different systems to interact intelligently and for automation to be successful, the various security solutions have to communicate with each other regardless of the manufacturer. For example, a security solution that monitors internet access determines that a client is infected with a botnet. Ideally, this information should be passed on to the client software, which should automatically trigger a remediation process.
This type of automated interaction can reduce manual work for IT security, thus relieving some of the workload on the security department. IT experts are then able to concentrate on tasks that are required to increase protection of company assets in the face of modern threats. This may include forensics, root cause analyses and threat hunting.
Conclusion
The lack of specialists is a critical element in the increasingly complicated world of IT. The staff responsible for IT security has to fight a many-headed beast to protect companies against modern cyber threats. Organizations must therefore embrace a new strategy to provide some much-needed relief to an overburdened IT staff. The automation of day-to-day routine work and time-consuming tasks is one strategy, and just might be the best and most immediate solution to this ongoing, and growing, problem.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Rainer Rehm is Zscaler Data Privacy Officer, EMEA