Security talent is in short supply, and the industry will have a deficit of more than a million IT security professionals worldwide in 2014, according to Cisco's recently released annual security report.
Enterprises have stretched their network perimeters to include mobile endpoints and cloud environments as they opt to store critical applications outside of their own data centers. With more ground to cover and less expertise in place to monitor these extended networks, many IT teams may not be ready to address these rapidly changing security considerations, said Levi Gundert, technical lead at Cisco System Inc.'s Threat Research Analysis and Communications group. Cisco is predicting a deficit of over one million security professionals based on IT analyst firm Frost and Sullivan's projection for security job growth -- a number that will rise from 2.28 million in 2010 to a predicted 4.24 million in 2015.
The shortage of IT security professionals will threaten enterprises because IT organizations can't rely on products alone to keep them secure. "This is a much larger problem than most people realize," said network engineer Nick Buraglio. "The technology evolves so fast that by the time an enterprise has tools installed and ready to go, they are already outdated," he said.
This deficit of IT security pros also stifles innovation, Buraglio said. "Important things that need to happen -- like IPv6 deployments -- are getting put on the back burner because many enterprises' security tools don't support [IPv6], and their security guys don't understand it," he said.
Enterprises can't afford to leave their expanding networks defenseless. They need to hire and train more IT security professionals and work with technology and services that meet independent testing benchmarks and can prepare businesses for sophisticated cyberattacks.
Lack of pros, but no lack of IT security career opportunities
The security skills deficit comes at a critical time. Cyberattacks are more sophisticated every year and the use of cloud services has stretched and weakened enterprises' defenses. Cisco's annual security report found that 100% of a sample of 30 of the world's largest Fortune 500 company networks generated traffic to websites that host malware. Many hackers today are also targeting Internet infrastructures, which most enterprises rely on for access to the cloud. The Internet saw a cumulative annual alert total increase of 14% from October 2012 to October 2013, Cisco's report said.
Enterprises not only need IT security professionals who know how to monitor environments; they need engineers who can remediate these complex threats while making their infrastructure less attractive to hackers.
"It's not really a matter of when you're going to be compromised, its more about how long it takes you to detect and remediate. [Enterprises] need to start closing that time window," Gundert said. "To do that, [enterprises] need security talent, and individuals that know how to use the tools and have the experience," he said.
More on IT security careers:
Salaries still off, but IT security professionals still in demand
A call to action for technology management professionals
Information security education benefits IT professionals
Even the most sophisticated IT security professional won't be able to protect a network from every type of attack, but CIOs and IT teams should decide which data, or parts of the corporate network, require prioritized protection, Cisco's Gundert said.
A fully staffed IT security team is also no guarantee that an enterprise is safe. Those security pros need to be dynamic, said Forrest Schroth, network manager at Randstad US, an Atlanta-based staffing and recruiting agency. "It's not like security professionals can go to school for four years and then simply implement what they learned -- this is a constantly changing area, and as the network changes, there are so many more ways [for hackers] to break into it," he said.
Smaller organizations that can't afford ongoing education for an in-house security professional might need to outsource network security to managed providers or use cloud-based security services, said Peter Firstbrook, research vice president for Stamford, Conn.-based Gartner Research Inc.
Outsourcing network security does pose some risks, Randstad's Schroth said. "Businesses are a dynamic entity that are constantly in a state flux with new requirements, and that's a very hard position to outsource."
Lack of security expertise contributes to the erosion of trust
IT security pros have even more work to do in light of German news magazine Der Spiegel's report that the U.S. National Security Agency penetrated the network security product supply chain, intercepting shipments of firewalls, routers, PCs and servers from large, U.S.-based networking vendors and hacking backdoors into the equipment. Security products need to be tested and scrutinized more than ever. Many organizations with understaffed IT security teams will struggle to validate whether vendors and products will be able to successfully block threats while maintaining the integrity and privacy of their data.
"The reality is that some things exist beyond IT's control," Gartner's Firstbrook said. "Enterprises just have to choose suppliers very carefully today."
Technology vendors will need to not only assure customers that security is a priority in their manufacturing processes, but be prepared to back up those assurances via third-party accreditation and testing organizations that can assure enterprises that the products are free of backdoors or vulnerabilities, Cisco's Gundert said.
"When a vendor tells me their security product can do X,Y and Z, I'm not going to just take their word for it," Buraglio said. "I want empirical evidence that it's actually the case -- I never trust what anyone says, and that's why enterprises should take advantage of independent testers if they don't feel confident with the security expertise [in-house]."