Security Skills Shortage Places IT at Risk

Experts Assess Impact of Open Positions

By , January 9, 2013.
Security Skills Shortage Places IT at Risk

There is little argument among IT security practitioners and thought leaders that the shortage of qualified information security personnel places many organizations at greater risk of attack and exposure to other vulnerabilities that threaten the security of IT systems and data.

See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

Information Security Media Group asked these veteran experts how the skills shortage affects IT security. We sought their views in conjunction with our latest analysis of U.S. IT security employment trends, which shows for the first time in two years unemployment among information security professionals [see 3% Unemployment Among Infosec Pros?]. But even with that sign of joblessness, a severe shortage of employable IT security experts exists.

"I've had one period of time where my program was severely impacted for close to a year due to the inability to find quality candidates to fill information security positions," says Marc Noble, vice chairman of the Cybersecurity Certification Collaborative and former chief information security officer at the Federal Communications Commission.

Top Executives Don't Get It

Although the IT security challenges caused by the skills shortage aren't new, they're being exacerbated by the growing threat landscape, meaning many organizations struggle with inadequate and sometimes unqualified staff - a fact that isn't always appreciated by those in the executive suite.

"The risks are greater from a lack of qualified experts, but we're still at a point where many organizations don't understand or prioritize the security risks they face," says Allan Friedman, research director of the Center for Technology Innovation at Brookings, a Washington think tank.

Among the respondents is David Shaw, chief information security officer at Purdue University, who expresses a frustration shared by many IT security professionals: "Those who are trying to penetrate our organizations don't face the same struggles in attracting talent. If you consider the statistics out of the Verizon Data Breach report [see Verizon: Hacktivists No. 1 Breach Threat], most of the compromised organizations fell victim to attacks that were not highly difficult. When a security organization has several positions open, management should consider that a risk."

'Experts' with Questionable Backgrounds

Several of the respondents point out that the shortage means organizations are hiring people who don't have the right cybersecurity skills. "We are seeing lots of people proclaim they are security professionals, but do not have the skills, education or experience ...," says Daniel Miller, national practice leader in Grant Thornton's cybersecurity and privacy business advisory service. "The lack of security professionals means that there is a greater risk of breaches of information for organizations without security professionals there to ensure that external and internal infrastructure is secure and that information in general is well protected."

Eugene Spafford, executive director of the Purdue Center for Education and Research in Information Assurance and Security, picks up that theme: "It tends to allow those with questionable backgrounds to portray themselves as 'expert' in the field - without competition or comparison, some of them are undoubtedly being employed."

Yet, it's not just employing the unqualified that poses problems for organizations, but the misuse of limited personnel that have the right stuff. That's because many organizations approach cybersecurity as a tactical and technical problem rather than a strategic and managerial one.

Plugging Holes, Running Behind

"As a result, the security personnel are constantly plugging holes and running behind," says Scott Borg, director and chief economist at the U.S. Cyber Consequences Unit, an independent, non-profit research institute. "Instead of building security into systems from the early planning stages, when it is more efficient and less expensive, organizations tend to add cybersecurity as an afterthought, when it is inefficient and costly.

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Security for the Borderless Workplace

At CA Technologies, mobile security is not just a solution for customers; it's a practice that IT...

Latest Tweets and Mentions

ARTICLE Security for the Borderless Workplace

At CA Technologies, mobile security is not just a solution for customers; it's a practice that IT...

The ISMG Network