Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

9/6/2017
03:21 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

81% of Infosec Pros Say Required Job Skills Have Changed

The change comes amid a skills gap the industry is facing.

Portland, OR - The digital security skills gap poses a challenge to organizations and their defense strategies in every economic sector. Even so, there’s little consensus on how enterprises should address this shortage of skilled security talent. Some say organizations place too little emphasis on the value of a classical engineering-focused education and that businesses can help close the skills gap by re-conceptualizing security “entry-level” roles. Others feel job seekers and hiring organizations should both do more to reconcile security with existing business needs.

These are all good ideas. But are organizations doing any of them? How are companies actually working to address the security skills gap?

To answer those questions, Tripwire commissioned Dimensional Research to survey 315 IT security professionals at U.S.-based companies with over 100 employees. Their responses reveal that the make-up of security teams is changing and that organizations are having to implement creative strategies to meet security needs.

Overall, Tripwire’s study found that 93% of information security professionals are concerned about the skills gap. This sentiment in part rests on an ever-evolving industry. More than three-quarters (81%) of respondents say the skills required to be a “great” security staff member have changed in the past few years. This development, among others, has helped shape the viewpoint shared by 72% of security professionals that it’s more difficult now to hire adequately skilled security personnel than it was two years ago.

Tim Erlin, vice president of product management and strategy at Tripwire, agrees with this framing of the skills gap:

“It’s evident that security teams are evolving and maturing with the rest of the cybersecurity industry, but the pool of skilled staff and training simply aren’t keeping up. For example, beyond their technical duties, security practitioners may now be expected to spend more time in boardrooms or in the CFO’s office to secure more budget. While the makeup of the cybersecurity workforce may be changing, the fundamentals of protecting an organization have not. It will be critical during this transition to ensure there’s a long-term strategy in place around maintaining the foundational security controls like the CIS CSC.”

Per Tripwire’s survey, organizations are indeed diversifying their security staff. Most companies are supplementing their teams by outsourcing for skills (91%) and are expecting non-security professionals to become more involved in their digital defense strategies (98%). One in five respondents said their organizations have already hired professionals with expertise not related to security over the past few years; about the same proportion of respondents (17%) expect to continue that practice through 2019.

But hiring is just the beginning. Erlin explains that businesses should then work to optimize these heterogeneous security workforces:

“The skills gap doesn’t have to be an operational gap. Security teams shouldn’t overburden themselves by trying to do everything on their own. They can partner with trusted vendors for managed services or subscribe to service plans where outside experts can act as an extension of the team. Organizations should also understand that security is a shared responsibility across different functions, so people from other parts of the business should be involved in the cybersecurity program. And, of course, automation can add value not only in reducing manual work, but also in ensuring that everything is up-to-date and working as it should in real time. Security teams may just need to work more creatively.”

It appears organizations are in agreement with Erlin. Eighty-eight percent of respondents think managed services would help to address the skills gap problem. Even more than that (96%) think automation will help address the digital security skills shortage in the future.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21360
PUBLISHED: 2021-03-09
Products.GenericSetup is a mini-framework for expressing the configured state of a Zope Site as a set of filesystem artifacts. In Products.GenericSetup before version 2.1.1 there is an information disclosure vulnerability - anonymous visitors may view log and snapshot files generated by the Generic ...
CVE-2021-21361
PUBLISHED: 2021-03-09
The `com.bmuschko:gradle-vagrant-plugin` Gradle plugin contains an information disclosure vulnerability due to the logging of the system environment variables. When this Gradle plugin is executed in public CI/CD, this can lead to sensitive credentials being exposed to malicious actors. This is fixed...
CVE-2021-24033
PUBLISHED: 2021-03-09
react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts (in Create React App projects), where the usage is safe. Only when this function is manually invoke...
CVE-2021-21510
PUBLISHED: 2021-03-08
Dell iDRAC8 versions prior to 2.75.100.75 contain a host header injection vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by injecting arbitrary ‘Host’ header values to poison a web-cache or trigger redirections.
CVE-2020-27575
PUBLISHED: 2021-03-08
Maxum Rumpus 8.2.13 and 8.2.14 is affected by a command injection vulnerability. The web administration contains functionality in which administrators are able to manage users. The edit users form contains a parameter vulnerable to command injection due to insufficient validation.