Source: adragan/Hobbies and Leisure via Adobe Stock.
In a study conducted by 451 Research, a part of S&P Global Market Intelligence, information security professionals were asked about the changes being made in their organization’s security teams to address challenges including staffing and retention. It looks at in-demand skill sets, what is needed today and what is not covered adequately.
The Take
This year’s primary question surrounding the seemingly perennial security skills shortage, which we have been tracking since 2018, asks what will the effect be on security workforce hiring and retention as the labor market moves from a post-pandemic Great Resignation period to a correction period, which includes layoffs triggered by several interest rate hikes by the Federal Reserve and other central banks to curb inflation. Most indicators point to some, albeit limited, relief in the difficulty of security hiring. Last year, security managers rated recruiting security professionals as a 7 on average, based on a 10-point scale where 10 is “extremely difficult.” This year, it is rated as a 6.76. Retention has gotten a little more difficult, moving from an average of 5.94 last year to 6.1 this year, with interview responses noting the retirements of experienced professionals following the pandemic as a challenge, especially around legacy technology stacks. Just 28% of security teams are adding staff this year, down from 37% last year. While layoffs dominated headlines earlier in the year, only 12% of enterprises are reducing the size of their security teams, up from 7% last year. About 35% of respondents note their teams are not staffed properly, while another 39% somewhat agree they are staffed to meet the security challenges their enterprises are facing.
Summary of Findings
The most cited significant change in organizations’ information security teams this year is the addition of managed security services, either to augment staff or person power (37%), to augment specific security skill sets in short supply on internal teams (46%), or to handle specific event-based issues (16%) such as incident or forensic response. Adding staff is the second most significant shift for teams, with 28% of represented organizations bringing new team members on. This is down from 37% last year. Just 18% of enterprise security teams have welcomed a new leader (e.g., CISO) to their organization.
The top skill sets cited by the most respondents as important today include network security (55%), security architecture (47%) and security operations knowledge (45%). Skills that are inadequately addressed within their teams according to security leaders include penetration testing (33%), cloud platform expertise (32%), and application security (30%) alongside the aforementioned network security and security operations skill sets.
Data protection and security — two sides of the same coin?
Security leaders see hackers/crackers with malicious intent as the threat they are most unprepared to deal with (24%), but that is followed directly by the threat posed by malicious insiders (16%). When asked to parse which insiders pose the largest threat, it is “IT staff with elevated privileges” by a large margin (cited by 40% of survey respondents). The rise of security tool sets such as privileged access management speaks directly to this challenge, when a “least privilege” strategy is difficult to implement, where elevated privileges are what is required to perform certain IT roles. When asked which threat vector or path into the organization represents the greatest security threat, it is email by a large margin (cited by 31% of respondents). Aligned to this challenge are email security products, which are implemented at 74% of enterprises, and phishing simulation products, which are implemented at 52% of enterprises.
One of the early concerns with generative AI solutions is that some of the tell-tale signs of low-level phishing scams, such as poor grammar or translation, could be eliminated leveraging tools like ChatGPT to easily create more well-formed business email compromise (BEC) attacks. That concern has not registered in a practical sense for enterprise security professionals, where the majority are either not at all concerned (34%) or not very concerned (45%). A spike in attacker usage of generative AI, clear indicators that it is happening, and greater success in BEC attacks may be required for more than 20% of security professionals to register this as a concern in the future.
Do you have your finger on the pulse of tech trends? Join the 451 Alliance for exclusive research content on industry-wide IT advancements. Do I qualify?
