IT Security Skills Gap More Harmful for SMBs Than Larger Firms

More than half of small businesses do not have regular access to security experts, and two-thirds have no training or certification in security.

IT security skills

The shortage of security professionals is hurting small businesses far more than large enterprises, according to a survey conducted by IT service provider Spiceworks.

Fifty-nine percent of businesses with fewer than 500 employees had no access to a security expert, whether internally or through a third-party contractor or managed security provider. The problem was less of an issue, but still significant, for large companies—those with more than 500 employees—of which a third did not have access to security expertise.

Without regular checkups or auditing, smaller companies are at a disadvantage, Peter Tsai, senior IT analyst at Spiceworks, told eWEEK.

"It is really hard for a one-man shop … to do security because you are expected to do all the other tasks around the office," he said. Even in smaller companies, "security is almost a full-time job, and it is really hard to adequately protect your network if you do not have the right resources."

Spiceworks polled more than 600 IT specialists in the United States and the United Kingdom for the survey.

The shortage of IT professionals knowledgeable in security is hampering business efforts to protect their networks and data. By 2020, organizations worldwide will be facing an estimated shortage of 1.5 million security professionals, according to a 2015 study by Frost & Sullivan.

Overall, business leaders viewed cyber-security as important, but most would require some convincing before paying for their IT staff to be trained in security, according to Spiceworks' survey. Almost three-quarters of chief information security officers (CISOs) and senior IT leaders, for example, considered cyber-security an important priority for 2016, the survey found. More than half of CEOs also agreed.

Yet, while a quarter of businesses have either invested in security training or encourage security training, some 57 percent of employers are only somewhat open to the idea of training and would require convincing.

"Training is the way to go," Tsai said. "They [the IT workers] all desire to learn about these new skills sets, but employers are not always willing to pay for it."

Most IT experts were not convinced that they could detect and respond to a cyber-attack targeting their cloud infrastructure or the Internet of things. The specialists had more confidence that they could detect attacks on more traditional technologies, such as laptops, desktops and servers.

About 29 percent of companies had a cyber-security specialist in the IT department, and another 9 percent expected to hire one in the next 12 months. Another 23 percent used an outside contractor or managed security service for cyber-security expertise, with 13 percent expecting to hire a third-party expert in the next 12 months.

Yet hiring more security people is not necessarily the best approach, Spiceworks' Tsai said. A multi-pronged approach of training, acquiring better technologies and improving the business' security processes is necessary, he said.

"To solve security threats and problems, you have to take a holistic approach," Tsai said.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...