Although the recent congressional budget approval sent civil servants back to work, the government shutdown understandably rattled their job security. Within agency security departments, the impact perhaps has been even more costly. At a time when the government must do everything possible to attract talent, the shutdown presented a significant detractor. Combined with the existing “skills gap,” government hiring managers are now at a real disadvantage.
Each day back at work, government security teams are getting clarity on the impact of the shutdown on their agency’s system security and are cleaning up where systems have been compromised. But what is the current status of the skills gap? Last month, Tripwire commissioned Dimensional Research to survey 336 IT security professionals in order to see how much the skills gap has increased over the past two years and the progress being made (if any) by organizations to find skilled professionals.
The survey found that 80 percent of survey respondents believe it’s becoming more difficult to find skilled cybersecurity professionals. As emerging technology and threat landscapes experience rapid transformation, the skillsets needed have changed as well. Nearly all respondents (93 percent) say the skills required to be a great security professional have changed over the past few years.
The survey also found that while 85 percent report their security teams are already understaffed, only 1 percent believe they can manage all of their organization’s cybersecurity needs when facing a shortage of skilled workers. Nearly all respondents (96 percent) say they are either currently facing difficulty in staffing security teams due to the skills gap or can see it coming. Of those, 68 percent are concerned with losing the ability to stay on top of vulnerabilities, 60 percent worry about being able to identify and respond to issues in a timely manner and stay on top of emerging threats, and 53 percent fear they will lose their ability to manage and secure configurations properly.
This does not bode well given that prior to the government shutdown, agencies lacked the human resources to maintain even the most basic of cyber hygiene practices.
The fact that the skills gap issue continues to worsen is troubling, since cybersecurity threats only continue to grow. And the problem doesn’t just go deep, it goes wide. Security teams aren’t simply lacking more people, they need those with new skillsets to deal with evolving attacks and more complex attack surfaces as they include a mix of physical, virtual, cloud, DevOps and operational technology environments.
So, the important question becomes, what are organizations doing about it? A recent study by (ISC)2 estimated that 500,000 jobs are currently unfilled in North America and another study by Cybersecurity Ventures’ predicted that 3.5 million positions would be unfilled worldwide by 2021. With those numbers looming, progress is not an option. When asked how their organizations planned to cope, respondents revealed:
- Ninety-three percent say they would benefit from security help outside of their organizations.
- Ninety-four percent say they have invested in or are likely to invest in managed services for security.
- Ninety-six percent have invested in – or are likely to invest in – automation of security tasks.
These results demonstrate a growing trend for organizations to consider more automation of security tasks and support through managed service to ensure that no critical security controls are dropped.
“Security teams are talented, but there are only so many balls they can keep in the air by themselves when they have a distinct lack of resources,” said Tripwire’s Senior Manager of R&D Anthony Israel-Davis. “One way to keep those balls from hitting the ground is automation. And when it comes to cybersecurity, this can mean bringing in managed services.”
The bottom line for government agencies? Security teams are stretched thin. It’s going to be more important than ever to build strong partnerships. Collaborating with trusted vendors will take pressure off in-house resources. Of course, this does not give the government a hall pass to continue its shutdown measures in the future.
