Mexico. Akamai Technologies, Inc., the world's largest and most reliable cloud delivery platform, points to the new cyber landscape: more threats but fewer security professionals.
ISACA predicts that by 2019 there will be a shortage of 2 million cybersecurity professionals worldwide. And in a survey published by ESG and ISSA in November 2017, 70% of respondents stated that the shortage of Security skills was affecting their organization. The survey also highlighted that experienced staff were overloaded with urgent Security events that left them little time to focus on Security strategy or training.
"As a mid-sized company, the shortage of security skills is a challenge for us, as global technology brands and financial institutes pull much of the talent pool out of the market," said Daniel Schatz, Director of Information Security at Perform Group. "One consequence of this is a market with candidates who may not yet have the required skills or experience, but who can stipulate staggeringly high salaries due to demand."
"For us, it is a constant process to balance the need to fulfill Security functions with a pragmatic look at talent in the market. The key is to find people who are passionate about what they do in Information Security and what we do as a company," Schatz continued.
The shortage of security skills has not gone unnoticed by government agencies around the world.
In 2016, the UK government stated that it planned to invest $2.5 billion in improving the country's cybersecurity defenses, with part of this funding going toward training new security professionals. In addition, in a bid to encourage young people to pursue a career in Security, the government launched the Cyber Schools Program to teach 14-18 year olds the basic principles of Security: programming, forensics, cryptography, and more.
In May 2017, the U.S. government signed the Cybersecurity Executive Order, which, among other initiatives, calls for the Director of National Intelligence to submit a report identifying how the country will improve the skills of the Security workforce.
The Australian government has also created a Cybersecurity strategy that revolves around collaboration between government, private companies, education providers and the research community to create centres of excellence in universities in order to increase the number of qualified security professionals.
In a recent article by Jay Coley, Senior Director of Security Planning and Strategy at Akamai, he describes how the dramatic decline in the number of students studying science, technology, engineering and mathematics has contributed to the shortage of security skills. This is not the only factor that has contributed to the skills shortage, there are also three other drivers.
First, technology has evolved at an unprecedented speed over the past 10 years, transforming almost every aspect of business. In the past, it had a data center running its business applications, and the vast majority of users would sit in a local office and use an on-site PC to access the applications. This homogeneous structure made it relatively easy for a company to protect itself by building a robust and fixed perimeter. But now, applications and data live in the Cloud; users access workloads from smartphones, tablets and laptops from anywhere, anytime; and many of these devices are not managed or controlled, or even owned by the company. This seismic shift creates new security vulnerabilities and exposes new attack surfaces.
Second, the threat landscape has been significantly transformed. Businesses now face an ever-evolving tsunami of threats that are created and executed on an industrial scale. These threats are sophisticated and targeted, and the cybercriminals behind these attacks are persistent, patient, and highly incentivized. Add to this the fact that an entire ecosystem has been developed that allows malicious actors to build, deploy, and monetize malware and ransomware even further. Malware as a Service (MaaS) and Ransomware as a Service (RaaS) are available, are cheap to buy and download, and are openly advertised on popular sites.
Third, changes in technology and business practices, along with the industrialization of threats, have created a myriad of new security products and services for companies to implement in order to improve their security posture. While positive overall, this influx also brings a lot of complexity. In the old world of a strong but static perimeter, one company probably had an EndPoint Firewall and Security. Now, a company can employ secure Web gateways, Cloud-accessible security agents, data leak protection, intrusion detection and protection, mobile device management, identity management, and more. That's an intricate number of technologies to deploy, manage, and connect. And, the products themselves have become more complex; a secure, market-leading Web gateway now typically requires a week of intensive training to become competent, for example.
When you look at the confluence of these three controllers, it's clear that modern enterprises need larger security teams with a broader skill set. Combine this with the decline in STEM studies, you have a perfect storm.
In early 2017, Akamai's IT team piloted our newest Security product, Enterprise Threat Protector, on its own corporate network. Enterprise Threat Protector is a Cloud-based Security service that uses recursive DNS as a control point and leverages threat intelligence gleaned from Akamai's unparalleled view of the Internet. Simply put, Enterprise Threat Protector scans all DNS traffic on the network and determines whether the requested domains are secure or malicious. If a request is malicious, the user gets a block page; if it is safe, the request proceeds normally. This comprehensive protection can be configured and deployed globally in minutes; all that is required is a simple change to the existing DNS settings.
Our in-house IT team was amazed by the significant and quantifiable benefits the service provided during a tightly controlled trial that lasted from March to May 2017.
Benefits include:
- A large decrease in the volume of malware incidents identified by the existing endpoint protection solution: a 54% reduction from March to April and a 37% reduction from March to May.
- A decrease in the volume of events generated by the existing advanced detection solution: a 30% reduction from March to April and a 15% reduction from March to May.
- The equivalent of 0.75 of a full-time employee (FTE) time saved due to reduced incidents and alerts from the existing endpoint and advanced detection solutions.
"Saving 0.75 from an FTE by implementing Enterprise Threat Protector has allowed us to free up resources to see other important Security projects that were delayed due to the team's workload," says Keith Hillis, Director of Enterprise IT Risk and Security at Akamai. "Enterprise Threat Protector is such a simple and straightforward service to manage that we can use less experienced team members to do the little management work that's needed each week."
