It's no secret. There are not enough skilled applicants coming down the pipeline to fill the security jobs that are out there. While I've heard it in almost every conversation I've had with security professionals for the past several months, I just don't understand how this can possibly be true.
Survey says, "It's true!" According to Mike Gerdes, director of information security at Experis, it's a frightening truth that has a lot of folks scrambling to figure out what to do. "In the next three years, the demand for security talent is expected to grow by 2.5 million, but the supply only by 1 million, leaving a jobs gap of 1.5 million," Gerdes said.
"We have been doing talent surveys for 10 years. The gap is growing in technical challenge shortages and IT security, and the shortages are getting very acute," Gerdes said.
The rapid pace of innovation has done wonders for IoT, but IoT has produced a preponderance of more intelligent mobile devices that are all creating information. "The problem," said Gerdes, "is that information has to be processed, which has created a bubble of information that organizations aren't equipped to deal with. Basic operations people may have been good at what they were doing, but they don't know how to process the data coming in."
But there are so many automation tools out there that it seems to me that there would be fewer jobs available for actual human beings, which isn't the case.
"Yes, there are lots of tools out there, but the problem is that out of the box they are not tuned to react to the environment they are in and allow legitimate traffic. You still need an expert to set up the tuning," Gerdes explained.
Even a data leakage prevention filter could create problems because you may find some normal business transactions are now blocked because, by default, they are part of the black list. Gerdes cited situations like this and others similar to it as evidence that the future of security relies on man and machine working in harmony.
"No, sometimes you don't need to have that person on your staff. You could hire a third party as a service or a contractor and just buy the appliance and use the person," but Gerdes said even that approach eats up resources.
But if it's the skill sets that are lacking, then wouldn't it also be true that criminals are not adept at these skills either? Won't there also be a bad guys gap?
Gerdes said, "At this point, in many cases, people that are working on the Dark Web side of the equation tend to be better than the enterprises about sharing information to help one another. The bad guys are more adept at sharing information that finds that crack--not the final attack tools--but the concept and research."
Sign up for CIO Asia eNewsletters.