First published in Outsource Magazine September 12 2013
A report commissioned by IBM concluded that Technical Information Security Skills are in short supply and that this is creating vulnerability and risk in business. The research, carried out by Forrester Research Inc., revealed that even mature organisations are facing increased risk exposure due to difficulty sourcing and retaining Information Security talent.
Overall, 80% of Chief Information Security Officers are finding it difficult or very difficult to recruit technical security staff that met all their needs, according to the research. A range of issues are feeding this difficulty and the resulting concerns about rising risk levels include some very disturbing elements, as unfilled roles create anxiety. Only 8% of respondents said that they didn’t have a problem with security staffing issues.
The remaining 92% identified some key areas for concern that any business should be considering, regardless of whether or not they think they have security talent issue. Whilst the solution for many businesses has been to recruit further down the experience ladder, you can see from the kind of pinch points identified here, that this is not a sustainable solution. Whilst it may ‘fill a security role’ it is not filling the right one.
- external threats not understood or discovered (27%)
- deadlines not met/projects taking longer to complete (27%)
- a growing gap between threat and controls (24%)
- technical control systems not fully effective (this is anti-malware and such like) (22%)
- technical risks not identified (20%)
- technical control systems not implemented (20%)
- technical risks are unresolved (20%)
- security road map is unclear (20%)
- internal technical security audits are not undertaken (20%)
- Process-based controls (e.g., segregation of duties, privilege review) are poorly defined, dated, or inefficient (18%)
- concern that Security architecture is complied with (17%)
- It has prevented adoption of new technology (e.g., cloud, BYOD) NB. Given some of the concerns we have seen in the list so far, this is probably a blessing. (16%)
- External technical security audits are not undertaken (e.g., at service suppliers, supply chain) (15%)
- It has prevented business agility and/or growth (13%)
- Security architecture is poorly defined (13%)
These result show us that not only that there is an increased risk to business from the skill shortage but that the kind of risk business is facing is not simply about architecture and cyber threat but also about the prevention of growth and agility. These are positive contributions that security can make and their inclusion as potential risks show a willingness to move security out of the cost column and into the investment column, but again this is being thwarted by the skill shortage. This may reveal itself in a lack of confidence in moving certain functions or activities to The Cloud or perhaps not instituting Bring Your Own Device (BYOD). Whilst it is better not to do these things if you do not know if they are within your organisation’s Risk Appetite, if you do not know what that Appetite is and there is no one sufficiently knowledgeable and skilled to be able to ascertain this and then mitigate the risk if appropriate, then an organisation may be disadvantaged. This might mean it becomes a less appealing choice for potential new and highly skilled employees for other parts of the organisation, who perhaps demand BYOD as standard along with the flexibility it brings.
Commercially, robust security and resilience is becoming a must have and increasingly organisations are being asked to demonstrate and prove themselves in these areas. Businesses that have worked with Her Majesty’s Government and the Public Sector will be familiar with their extensive security requirements for instance, but others are now finding that if they want to grow their business, the onus is on them to be able to prove their security credentials. This pressure is coming from larger organisations not just public bodies, as they realise how important it is for their supply chain to be resilient. Again this is a real stumbling block if you simply do not have the in-house skills to handle a project like ISO27001 certification or compliance. So the risks that are immediately apparent in terms of what might happen to a business without the appropriate level of security skill are actually more convoluted than they first appear.
A perception of security as a business enabler is one that many security professionals have tried to promote for a long time and the idea of growing a business within its Risk Appetite is common sense. For too long the perception of Security has been that Security will just say no to innovation, change and anything even vaguely risky-sounding. It is disappointing to think that just as the paradigm looks ripe to shift (in the right direction) that it is being stymied by a lack of high level skills. All of these challenges presuppose the organisation has the budget to be able to employ the skilled person they need.
Physical Security like manned guarding has been on the outsource list for many years, Information Security has not always been viewed the same way. Depending on the level of challenge, size of organisation and actual (not perceived) threat and risk, there may be a viable alternative to a full time senior technical security person, through outsourcing. Perhaps if the challenge is to get through a particular project then the high level skillset may only be required at certain times, not constantly. If there is a tipping point at which the need for the skills is justified commercially this may come a lot sooner if there is an opportunity of filling the gap without actually having to finance an FTE with all of the cost that entails. Given the difficulty in sourcing the high level skills, the best talent is following the money, leaving many organisations in an uncertain security vacuum. Outsourcing may be the solution on either a project or buy as you need type basis. It may provide a much more cost effective solution to a convoluted set of challenges that are not showing any sign of going away or simplifying. It may also mean a level of skill and experience far in excess of that which may have been within budget for an FTE.
Of course, making sure you are certain of your partner in any outsourcing endeavour is vital and due diligence on potential suppliers is vital. As a rough guide here are some questions you should be asking.
- Does my partner understand my organisation and its business drivers and growth imperatives?
- Can they provide qualifications, certifications, track record, references, case studies and a cultural fit?
- Are they flexible enough for my needs? Are they able to flex up and down as required or am I going to be rigidly contracted to a number of days per month?
- Do we have specialist or generalist needs?
- Do we want access to an expert individual or a team of experts?
- Do we want Strategy, Policy, Risk skills?
- Do we want our partner to be capable of working successfully with C-level stakeholders or at the ‘coalface’ or both?