Security Worker Shortfall Is Putting Organizations at Risk
SAN FRANCISCO—When asked whether their companies had as many information-security workers as they needed, attendees at the Cloud Security Alliance (CSA) Summit here just snorted and laughed.
With stolen intellectual property and data breaches regularly making headlines these days, no company or government agency feels that they have the resources they need to secure their business, said Mark Weatherford, deputy undersecretary for cyber-security at the U.S. Department of Homeland Security (DHS), who asked the question during a keynote at the RSA Conference pre-show Feb. 25. In fact, security people are in such demand that Weatherford regularly steals workers from other agencies, he said.
"What's the unemployment rate for a good cyber-security person? Zero," he said. "We are all familiar with the fratricide going on."
Weatherford's statements came the day before the RSA Security Conference officially opened and underscored the serious shortfall the United States and its private sector faces in securing their systems.
More than half of security professionals believe their companies' security staff should be expanded, compared to a third who believe they have enough staff, according to a Feb. 25 Frost & Sullivan report sponsored by International Information Systems Security Certification Consortium (ISC)2 and Booz Allen Hamilton. The number of executives who feel their security teams need help is even higher, with two-thirds of respondents with a C-level title indicating that their security organizations are understaffed, with midsize companies the most concerned.
"The need for more skilled and qualified security professionals to deal with the onslaught of sophisticated cyber-attacks organizations are facing on a daily basis is real and acute," said Michael Suby, vice president of research at Frost & Sullivan and author of the report. "If we continue to let this skills gap grow, the economy will undoubtedly suffer.”
More than a quarter of respondents indicated that a typical incident would take a day to remediate, while another 41 percent estimated that it would take more than a week for security staff to blunt a targeted attack.
The DHS's Weatherford praised the cyber-security competitions that have cropped up as a good way to train and promote cyber-security. In 2010, a sponsor of the competition, defense contractor Boeing, hired six members of the Cal Poly Pomona team that won that year's contest.
Yet a high barrier for many applicants is most companies' requirement that prospective employees have a college degree. Recommendations from the DHS's Taskforce on Cyber Skills highlighted a two-year program to train cyber-security professionals that could be taught at community and junior colleges.
"We have got to get over the fact that you do not need a college degree to be in our business," Weatherford told attendees. "Probably the five smartest people I know in our business did not go to college—they were using the time to break operating systems and applications."
He urged attendees to convince their companies to sponsor the competitions, adding that a modest sponsorship would more than pay for itself if the company hired one or more of the participants.