Source: Westend61/Westend61/Getty images
A recent study conducted by 451 Research, a part of S&P Global Market Intelligence examines the changes happening to organization’s security teams in the last year, the skill sets needed today and ones potentially in inadequate supply, whether the security team is staffed adequately, the difficulty in recruiting and retaining security professionals, and the level of concern generative AI capabilities bring to business email compromise.
The Take
It’s not surprising in a tightening labor market that it has become controversial to suggest there are “millions of unfilled information security jobs,” with some studies suggesting the number is as high as 3.5 million-4 million, without a clear and defensible method for arriving at that number. The problem is that determining a perceived need for cybersecurity talent is fundamentally different from having actual job openings, which are based on more than a need reported by cybersecurity managers. That need must be agreed to by other decision-makers in the business, budgeted for, and not fall victim to hiring freezes or subordination to greater perceived needs elsewhere in the business. In this most recent study, 18% of respondents suggest their information security team staffing is inadequate to address current security challenges. Another 48% are in soft agreement that the team size is adequate; only 35% are confident in their team size. Just 18% note they are adding security staff, a far cry from 37% in 2022. Almost two-fifths (38%) back then believed their security team’s size was inadequate. In 2022, respondents on average rated recruiting security professionals as 7.1 in difficulty on a 10-point scale, with retention at 6.0. Today, difficulty in recruiting is rated 5.9 with retention at 5.8, meaning recruiting has gotten a bit easier while retention remains similarly difficult.
Summary of findings
Do entry-level information security positions exist? Information security may be a second-tier career — one a person becomes qualified for after doing another job in information technology. If that is true, that flies in the face of what college and university programs, boot camps, certification organizations and other training companies purport to offer in terms of opportunities in the information security space. This study asked respondents about their organization’s hiring requirements, and only 24% report hiring entry-level professionals without prior technology experience. Another 34% require candidates to have previous information security experience, while 42% convert employees from prior technology roles into information security roles. For the 18% of respondent organizations that have recently added staff, 73% of those note at least some staff additions are considered entry level. However, definitions vary regarding what constitutes an entry-level position in information security, as many job postings require working experience and specific technical skills demonstration, which contradicts what most people think of with the term “entry level.”
Certifications remain an important part of the hiring process. As one of the prominent studies that reports unfilled security jobs was released by a certification non-profit member organization, the role of certification inevitably becomes a discussion point. In an industry with a great deal of disagreement around the ideal background for a security professional, the skill sets required and the means of assessing those skill sets in an interview process, certifications and the organizations that issue them still play a prominent role. Almost half (47%) of respondents note certifications are very important, and they require job candidates to have them. Another 43% note they are somewhat important — while not required, they are considered. Only around 10% of respondents believe certifications are not very important.
Organizations are adding managed security services. In another indicator that managed security services feature prominently in security managers’ plans, the most cited change to information security teams is the addition of managed security services at 29%, either to augment staffing, or to handle event-based incident response. The need to augment specific expertise (58%) is the most cited reason, followed by the need for more “person-power” or staff (27%). Nearly a quarter (23%) say centralization of information security resources is underway, while conversely, 18% say their security team is being divested or spread to other parts of the organization. About one-fourth (23%) note their organization’s security team is part of a reorganization. About one in five (18%) note they are adding security professionals to their staff, while 10% note staff reductions are underway.
Cloud platform expertise is among inadequately addressed skill sets. In an attempt to further refine what security professionals mean when they discuss a “skills shortage” in information security, this survey asks security professionals to define what skill sets are most important on their teams today, and which skill sets are most inadequately addressed. Network security (59%), risk assessment including assessment of vulnerabilities (52%), and security architecture (49%) are the three most cited responses in terms of important skill sets today. In terms of inadequately addressed skill sets, cloud platform expertise (32%) leads the list, followed by regulatory compliance (31%) and application security (29%). AI is seventh, with 27% citing it as needed and in short supply.
Most respondents (88%) say the chief information security officer or equivalent position in their organization is positioned to be successful. In cases where security professionals say their leader is not set up correctly, they most often blame budgeting (54%), people resources (42%) and a lack of seniority within the organization (36%). A third (34%) say information security concerns are subordinated to information technology goals.
Email remains far and away the greatest concern as an entry point for attacks. Cited by 28% of respondents, email dwarfs the next-highest category, social media threats, at approximately 12%. This vital business communication tool is ubiquitous, and thus remains a top target for bad actors to initiate an attack. This does not suggest that attacks are not multistage, and thus also capable of being interrupted at different points from intrusion to privilege escalation, to lateral movement and potentially exfiltration. But it does suggest that email security is a vital piece of preventing attacks before they start.
Concern around generative AI is growing. In a sign that GenAI is a double-edged sword benefitting attackers alongside security professionals, the level of concern around GenAI-enhanced business email compromise has risen drastically from last year’s low level. In the year-ago study, only 2% of respondents were very concerned, and 19% somewhat concerned, that attackers were using GenAI to conduct more advanced phishing attacks. In the current study, 30% say they are very concerned, and 53% somewhat concerned, about GenAI-driven phishing attacks.
When it comes to groups that enterprise security professionals are least prepared to deal with, outside attackers (19%) remain the most-cited threat. But malicious insiders remain a prominent issue, coming in second at 15% of citations. When asked to break that out, the insider groups most often cited as a concern are, in order, IT staff with elevated privileges (26%), contractors or temporary staff (14%), and remote employees (14%). The placement of remote employees on this list suggests that media coverage of “return to office” mandates may be a bit overblown. The most challenging group, IT staff with elevated privileges, is also the top pain point in the identity management study, which was also conducted by 451 Research, a part of S&P Global Martket Intelligence. If there is a bright spot, it is that executives and senior management are farther down the list at 9%. As information security concerns have risen in importance, executive privilege around bypassing security policies or controls has largely become a relic of the past.
Data protection and security — two sides of the same coin?
Want insights on Infosec trends delivered to your inbox? Join the 451 Alliance.
