The information security workforce shortfall is widening. In this year’s survey, 62% of the survey respondents stated that their organizations have too few information security professionals. This compares to 56% in the 2013 survey. Also in a shift from the 2013 survey, the reasons for this hiring shortfall are less about money as more organizations are making the budgets available to hire more personnel. Rather, an insufficient pool of suitable candidates is causing this shortfall. These new observations and others generated from this extensive survey (almost 14,000 respondents globally) allowed Frost & Sullivan, for the first time, to estimate the shortfall in the global information security workforce; which we project will reach 1.5 million in five years. This shortfall is the difference between Frost & Sullivan’s projection of the workforce needed to fully address escalating security staffing needs and our workforce projection that accounts for workforce supply constraints (e.g., a tightening labor market among security professionals).
Confronted with this set of circumstances, information security departments are pursuing several strategies. With greater budgetary freedom, a broad-based uptick in security spending is projected. Topping the list is increased expenditures in security tools and technologies; nearly half of the survey respondents expect an increase. A cautionary note to this type of expenditure was expressed by nearly two-thirds of the survey respondents. The incremental addition of security technologies without corresponding reduction in existing security platforms, what we term “security technology sprawl,” is weighing on the security team’s effectiveness and efficiency.
Increasing use of managed and professional security service providers to augment existing staff and address skill shortages is projected by nearly one-third of survey respondents. On a similar outsourcing vein, an increased use of security delivered as a cloud service is projected. Additionally, cloud adoption, in general, is expected to increase rapidly. In a bit of a dichotomy, cloud adoption relieves in-house security professionals of certain security operations that are entrusted to the cloud providers, but lingering concerns about security in cloud environments contribute to the need for in-house security professionals to invest in cloud security education and training, and be active in managing security and compliance in cloud environments.
In the final assessment, the strategies of investing in security technologies, personnel, and outsourcing will be insufficient to materially reduce the workforce shortage. An expansion of security awareness and accountability throughout the organization is required. Casual attempts at security awareness and education only go so far. A more impactful approach is to embed real security accountability into other departments, in particular IT; and for the IT and security departments to function more collaboratively.
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating, and Transforming Your Cybersecurity Program