- 451 Alliance Report

Alliance Members-Only Report

Converged Security Trends

Security Professionals in Short Supply


By Tracy Corbo

It is not enough to pay lip service to security. The job is not done after drawing up a set of security policies. Information security is no longer just about securing data and devices. Threats are both internal and external, and companies must be prepared to handle both.

The Internet provides a common venue for companies of all sizes to participate on an even footing, and therein lies the problem. Companies big and small face the same security and cyber threats. The growing number of cyber threats is creating an increased demand for information security skills and experience. Sadly, demand for these individuals is outstripping supply. The result is difficulty not only in recruiting but retaining skilled security professionals.

Just like a tight real estate market when demand is high, and supply is low, the best individuals go to the highest bidder. Consequently, companies that cannot afford to pay the going rate or are in less desirable locations find it harder than most to fill these positions.

A July survey of 548 members of the 451 Alliance looks at how the growing demand for security professionals is affecting security team staffing decisions.

Report Highlights

  • Top Pain Points. People and internal politics are the ongoing top pain points for companies of all sizes. The careless actions of end users can expose companies to security threats despite all the best practices.
  • Security Policies. Sure, companies have security policies, but do they work? It depends on who you ask. Among 451 Alliance members, senior management has more confidence in the security policies than IT staff.
  • Difficulty in Recruiting and Retention. The talent pool for qualified security professionals is insufficient to keep up with demand. The result is not just a hiring problem, but also one of retention.
  • Security Skills Shortage. There needs to be a more proactive approach to solving the security skills shortage. If there are no outside candidates available to hire, and while outside contractors fill the void, it is not an ideal long-term solution. In-house staff need to be retrained.


Top Security Pain Points

User behavior continues to be a thorn in the side of companies big and small. Other issues common to companies of all sizes include the impact of organizational politics and a general disregard towards information security. Security is much more effective when a proactive approach is taken rather than a reactive one.

For smaller organizations, the other pain points highlight the difficulty of dealing with security threats without adequate budget, staff, and in-house expertise. For larger organizations, the sheer size and number of systems and endpoints can make it difficult to stay on top of security events in a timely and thorough fashion. In addition, compliance requirements can add expense and create additional management overhead and headaches.

top pain points 2Q18.png

Corporations do have formal written security policies in place. In fact, 96% of organizations with more than 1,000 employees and 100% of organizations with over 10,000 employees do. The number drops to 70% for organizations with less than 1,000 employees.

formal written 2Q18.png

Written policies are all well and good, but do they work? Despite having policies in place, 45% feel that these policies are only somewhat effective and 19% think that they are not very effective. There are some just over a third, 36% claim they are very effective.

effectiveness 2Q18.png

A closer look at the effectiveness of security policies from the perspective of senior management versus IT staff reveals that senior management has more confidence about organizational security policies than the IT staff who implement the policies on a day-to-day basis.

senior mgmt 2q18.png

Information Security Skills Gap

One of the biggest challenges for organizations (especially those with less capital to spend) is finding and hiring qualified individuals with the requisite information security skill sets. The problem is compounded by the fact that there are more jobs than there are qualified candidates to fill them. This in turn drives up salaries for those individuals, making it harder for companies to hire and retain experienced personnel. This complaint is a perennial one.

“[In security] it's hard to find good people. Everybody seems to be getting on the bandwagon. There is a high demand. We lose a lot of people. It's a revolving door where people come in and they get trained up and get certified and then somebody offers them a better deal [so they leave]."

Financial Services - IT/Engineering Managers and Staff - 10,000-49,999 employees

More than half (66%) of respondents are facing an information security skills shortage. The shortage is most acute in the finance sector where 79% of respondents face a skills gap. Other verticals – such as healthcare and government also feel the pinch and are typically hampered by both pay and location issues that only serve to further limit the pool of qualified candidates seeking employment opportunities.

key segments skills shortage 2q18.png

Older companies, typically digital transformation “laggards” with conservative approaches to new technology face even greater challenges in acquiring skilled information security personnel. To be brutally honest, a company with significant technology debt (i.e., legacy systems that do not easily integrate with newer technology platforms) is a company that few highly skilled IT professionally would really want to work for (at least not for long). An organization whose infrastructure has outlived the IT staff’s availability to support it, is not the place for the up and comers in the tech who want to work with modern infrastructure environments and “cool” emerging technologies.

Recruiting When it comes to hiring, companies large and small are having trouble recruiting information security personnel. This shortage will not resolve itself: the growing number of connected devices and the continued drive toward digital transformation will only compound the problem.

difficulty recruiting 2Q18.png

Retention Security specialists are in high demand. Companies are struggling not only to find personnel, but to hold onto them as well. One-third of smaller organizations with fewer than 1,000 employees find it extremely difficult to retain information security specialists, as do one-quarter of larger organizations.

retaining security prof 2q18.png

Compensation Companies recognize the value of these employees and the difficulty in replacing them once they leave. One retention option is increased compensation. Respondents were asked to describe how they see compensation for security professionals changing over the next 12 months when compared to the previous 12 months.

More than half of respondents plan to increase compensation for their security professionals over the next 12 months. Among organizations with 1,000 to 9,999 employees (a group more affected by the security skills shortage compared to others) 70% plan to increase compensation for information security personnel.

planned compensation increases 2q18.png

The two most readily available options, especially if hiring is proving to be a futile exercise, are to retrain existing staff or hire outside contractors. While outside contractors provide a quick fix, this is not viable long-term option particularly if the skill set is not being transferred to internal employees. As a result, companies need to take more proactive approaches, including continuous (re)training of existing IT staff and well-defined retention programs that keep the needed expertise in house.

adressing skills gap 2q18.png

451 Alliance
  Twitter LinkedIn Facebook  
This information is from 451 Research, LLC, and contains confidential business information.
It may not be copied, forwarded, or distributed without permission.

© 2018  451 Research, LLC | 1411 Broadway Suite 3200, New York, NY 10018