There is a continuing problem we
are experiencing in InfoSec, which is not something new. There is a shortage of
personnel in the industry. If this is not a detrimental situation, there is
also a training issue to further compound this.
The first issue can be applied in economics view. The demand curve beginning
approximately a decade ago has a robust upward curve. The curve has not been linear,
or straight, but has increased its arc, meaning year after year the number of
professionals in demand has increased at a higher rate than the year before.
The increase in demand is due to several environmental factors. There are many
more businesses online compared even to a couple of years ago. Each of these throughout
the globe has its internet presence, applications, servers, AWS instances,
etc., or multiples of these. Each of these creates another attack point. With
the rapid expansion of the attack surface available, also brings with it the
opportunity to attack and defeat a system. With all of this available, the
attackers grew in number. While the concentration for each country is not
uniform, the numbers are still growing within each. The attacks have been
operationalized and have proven to be rather profitable, especially in the case
of ransomware. The incidences have included success in attacks against city and
county governments, massive corporations, and others of any size. Any business
or municipality is a viable target to begin the attack processes a low bar; all
it takes is a person in the organization clicking a link or an attachment.
While
the attacks continue to increase at an alarming rate, creating the business
demand for persons with this skill set, the supply curve is increasing at a
rather conservative rate. This crime has a slight incline. The difference
between supply and demand continues to grow. This is a clear indication
there’s a problem. People are not entering the field at a sustainable rate, and
the people in the positions are burning out and leaving.
This
shortage has forced businesses to hire and bring people in who are not the most
qualified. These persons may attend a boot camp for a few weeks and market themselves
as subject matter experts (SMEs). While this is a good starting point, this is
not the pinnacle for being qualified as a cybersecurity SME. This skills gap is also a problem for the industry. Management still has issues with fully
understanding and appreciating cybersecurity and its role. Without some form of
a roadmap for decreases the skills gap, the problems will continue and grow.
This may be due to also HR not grasping the pertinence of cybersecurity. There
have been dozens of highly publicized breaches detailing what happens to the business
post-breach, especially in the health care field. This may also be an issue of
not triaging what skills and training are important now versus which may be
addressed later.
However
you wish to look at this, there is a significant problem that is not getting
resolved in the near future. If the industry will not give this analysis the appropriate level of attention, the difference between the numbers in the industry
in comparison to the numbers needs to grow at an ever-increasing rate.
No comments:
Post a Comment