• United States



Contributing Writer

Critical Shortage of Security Skills?

Nov 07, 20112 mins
Advanced Persistent ThreatsCisco SystemsData and Information Security

Recent ESG research points to growing skills gap for enterprise security

As the old cliche goes, “people are the weakest link in the security chain.” This saying is usually pointed at consumers and non-IT employees who exhibit risky on-line behavior and can’t possibly keep up with the latest security threats and defenses. Unfortunately, the “weakest link” metaphor now applies to security professionals as well. In January of this year, ESG Research asked IT professionals to identify areas in which they had a “problematic shortage” of needed skills — 22% of organizations said they had a problematic shortage of information security skills. This is consistent with a late-2010 report from the Center for Strategic & International Studies (CSIS) titled, “A Human Capital Crisis in Cybersecurity” ( week, ESG published a new report on Advanced Persistent Threats (APTs) and their impact on security strategy at US-based enterprise organizations. Not surprisingly, sophisticated attacks like APTs are stressing already overtaxed security skills. For example:1. 21% of organizations rate their ability to detect attacks in progress as “fair” or “poor”2. 17% of organizations rate their ability to monitor network traffic at all network ingress/egress points as “fair” or “poor”3. 17% of organizations rate their ability to remediate a compromised system as “fair” or “poor”The big problem I saw throughout this project was centered on security forensics and analytics. Large organizations are capturing data from a number of sources (i.e. log data, Netflow, CMDBs, packet capture, etc.) through a number of tools and then manually trying to identify the malicious needles in the haystack. This hasn’t worked for years while the consequences associated with successful attack grow more and more dire.We need to get busy with training courses, government grants, and K-12 education on cybersecurity but these programs will take years before delivering ROI. In the meantime, security vendors need to come up with more scalable, integrated, and intelligent security tools while CISOs think long and hard about offloading security tasks to 3rd party specialists.

Contributing Writer

Jon Oltsik is a distinguished analyst, fellow, and the founder of the ESG’s cybersecurity service. With over 35 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO's perspective and strategies. Jon focuses on areas such as cyber-risk management, security operations, and all things related to CISOs.

More from this author