The Cybersecurity skills gap is worse than you think

If you’ve read my blog with any regularity, you know that the cybersecurity skills shortage is a topic that is near-and-dear to me.  Forget about things like the threat landscape, mobile security, and cloud security, if we don’t have enough skilled security professionals, we are all in trouble.

I’ll be presenting on this topic at the RSA Conference next month but here’s a bit of  very troubling data in the meantime.  ESG asked 315 security professionals working at enterprise organizations (i.e. more than 1,000 employees) whether they were familiar with multiple types of malware techniques.  Overall, the results were pretty dismal.  For example:

• 50% of security professionals are “not very familiar” or “not at all familiar” with Command & Control (C&C) communications techniques.

• 40% of security professionals are “not very familiar” or “not at all familiar” with polymorphic malware.

• 40% of security professionals are “not very familiar” or “not at all familiar” with metamorphic malware.

• 29% of security professionals are “not very familiar” or “not at all familiar” with zero-day malware.

ESG also analyzed this data through a segmentation model that divided the entire survey population into 3 categories:  Advanced organizations (i.e. those with superior cybersecurity skills and resources, 24% of the total), Progressing organizations (i.e. those with average cybersecurity skills and resources, 52% of the total) and Basic organizations (i.e. those with below average cybersecurity skills and resources, 24% of the total). 

As if the overall population’s cybersecurity skills deficiencies weren’t bad enough, the ESG research data indicates that cybersecurity skills issues are divided between “haves” and “have nots.”  Looking at the data above through the segmentation model:

• 24% of security professionals working at advanced organizations are “not very familiar” or “not at all familiar” with Command & Control (C&C) communications techniques, 48% of those working at progressing organizations are “not very familiar” or “not at all familiar” with Command & Control (C&C) communications techniques, and 82% of those working at basic organizations are “not very familiar” or “not at all familiar” with Command & Control (C&C) communications techniques.

• 17% of security professionals working at advanced organizations are “not very familiar” or “not at all familiar” with polymorphic malware, 36% of those working at progressing organizations are “not very familiar” or “not at all familiar” with polymorphic malware,  and 72% of those working at basic organizations are “not very familiar” or “not at all familiar” with polymorphic malware.

• 8% of security professionals working at advanced organizations are “not very familiar” or “not at all familiar” with metamorphic malware, 37% of those working at progressing organizations are “not very familiar” or “not at all familiar” with metamorphic malware,  and 81% of those working at basic organizations are “not very familiar” or “not at all familiar” with metamorphic malware.

• 16% of security professionals working at advanced organizations are “not very familiar” or “not at all familiar” with zero-day malware, 27% of those working at progressing organizations are “not very familiar” or “not at all familiar” with zero-day malware, and 46% of those working at basic organizations are “not very familiar” or “not at all familiar” with zero-day malware.

So there is a security skills gaps everywhere but especially at progressing and basic organizations.  Remember that these two sub-segments make up 76% of the entire enterprise market.  Additionally, progressing and basic organizations come in all sizes and from every industry. 

If this isn’t cause for alarm, I don’t know what is.  We really need to have a serious discussion about how to bridge this gap as soon as possible.