Cybersecurity Skills Gap

Business, technology, internet and networking concept. Young businessman working on his laptop in the office, select the icon security on the virtual display.

With consistent news around breaches, attacks and incidents, it should not come as a surprise that cybersecurity  skills are heavily in demand. Yet even with the persistent need for these cybersecurity skills, there is a perpetual deficit of qualified candidates. CMI’s CTO, John Wondolowski, wrote about IBM’s Interconnect Conference and addressed the cybersecurity  skills gap around IBM’s acquisition of Resilient. Additionally, this year at the RSA Conference, ISACA discussed the cybersecurity  skills gap as the first topic for their State of  Cybersecurity  2017 presentation.

ISACA’s studies show that only 59% of North American respondents indicated they were able to fill their open cybersecurity  positions, citing a lack of qualified candidates.  While a typical corporate job will receive between 60-250 applicants, only 16% of North American respondents said that they had received 20 or more applicants for their cybersecurity  positions with 22% saying they had received less than five.  Of those respondents, the majority (64%) were deemed unqualified, usually due to lack of experience, though education and certifications also were cited as reasons.

Past reports are consistent with these findings. The demand for cybersecurity  workers is growing over three times faster than the average for IT jobs, and on average, they cost 9% more according to a 2015 report by Burning Glass. In another 2015 report, Cisco estimated that there were one million unfilled cybersecurity  jobs, with a few other sources projecting the shortage to grow to between 1.5 million and 2 million cybersecurity  jobs by 2020. To put this in perspective, as of January 2017, there were only 115,324 people with their CISSP, one of the most recognized and requested cybersecurity certifications.

This is to say that you are not alone if you have encountered challenges in building and maintaining your cybersecurity staff. ISACA’s recommendations to assist with finding and retaining talent had a common theme of minimizing frustration for those employees. This is where CMI can help –  by providing the expertise to identify technology that automates your cybersecurity  processes, providing services to implement or validate the status of that technology, and arranging a managed service to perform the more repetitive tasks.

When you choose Enterprise Information Technology for your career you virtually guarantee two constants in your work life:

1. There will be a continuous inflow of new ideas and new technologies that will be important and disruptive.
2. You will be so busy with your job that finding the time to review, understand and assimilate those new ideas and technologies will be very difficult.

25 Years of RSA

RSA Conference 2016 - Color

The RSA Conference just wrapped up at Moscone Center in San Francisco. A record number of attendees (around 35,000) flocked to the Halls where hundreds of vendors pitched their new (and some not so new) Cyber Security products and solutions. The keynote addresses were thoughtful and helped provide a few themes for the 2016 conference:

  • The costs of enterprise security relative to the percentage of overall enterprise I.T spend (the increase has been dramatic.)
  • The scarcity of Security Skills and competition for talent.
  • Cyber Education – not just in the enterprise but through society.
  • The flood of security data within the enterprise has reached the point where analytics will be a key enabler of the future.

Much has been written (and will be written) about the speeches, product announcements and idea exchanges at the conference. There certainly was a lot of discussion and debate about the pending United States vs. Apple case(s) where law enforcement is attempting to force Apple to assist in hacking into iPhones that were used in criminal activity. Most notably the one device in the case of the San Bernardino terrorist. For those of us who have been in Information Technology since the initial RSA conference twenty-five years ago, this discussion and debate is not really a new or novel topic.

The first RSA Conference was in 1991 and it was held in Redwood Shores where 100 attendees gathered to listen and discuss technology security. Two years later, in 1993, the NSA unveiled an encryption model that was pushed to technology vendors to adopt. That encryption model was known as the “Clipper Chip.” (Does that ring a bell?) If you are not yet in your forties you may never have heard of Clipper Chip because by 1996 it had died a lonely and miserable death. The NSA encryption technique adopted the “Skipjack Encryption Algorithm” (developed by the NSA). Skipjack used an 80 bit key and a symmetric cipher algorithm, much like DES. The fundamental part of the model for the NSA was that the private keys would be put into a “Key Escrow” where governmental agencies, with proper court approval, could access the private key in the Key Escrow and use it to decrypt the target device or communications. This was the first attempt by the United States Government to force technology vendors to create a back door for decryption.

Of course private industry had the same reaction to this type of governmental approach in 1993 that they do today. Backdoors, key escrows, or forced hacking from the manufacturer are all weaknesses in encryption and security that can be leveraged by bad guys as well as good guys.  This wonderful taxpayer-funded invention was never adopted. Perhaps most surprisingly in that story is that there actually were people in the NSA that believed that technology vendors would embrace the idea. That sentiment quickly changed after the initial announcement and turned into the approach of trying to force adoption the technology vendors. The short life of the experiment tells the story that the NSA shot an air ball with that one.

The RSA Conference 2016 showcased amazing new advances in technology and innovative approaches to deal with Cyber Security. However the basic discussions in the hallways and lounges of RSA Conference 2016 were those around the topic of the nexus of privacy, technology, private industry and government. These conversations have not advanced much since the RSA Conference of 1994 when the Clipper Chip was being pushed.

Conference Review

The rIBM Interconnect 2016 - snippetelegation to irrelevancy that has been predicted for IBM may be a bit premature. IBM is still big enough and relevant enough to draw nearly 25,000 Information Technology professionals to their annual Interconnect conference in Las Vegas. The fourth week of February is the week that IBM, IBM Partners and IBM Customers flood Las Vegas and spend the week exploring current and future capabilities in Information Technology. We are here looking at the conference through the lens of Enterprise Information Technology, and this blog is about what we are seeing so far.


One of the consistent themes so far at Interconnect is technology’s role in helping to bridge the I.T. Security skills gap.  For perspective, Enterprise Strategy Group (ESG) recently did a research study on the I.T. Security skills gap. The ESG Research found that 46% of organizations classify themselves with a “Problematic Shortage” of Security skills. Notably, ESG did a similar study one year ago and the results this year show an increase of 28% of organizations that classify their situation as “Problematic.” In fact, the ESG Research 2012 study found that only 24% (half of the 2016 number) classified their situation as “Problematic.” Beyond ESG, Burning Glass analyzed cybersecurity job postings and found that the increase in the number of cybersecurity job postings was 74% from 2007 to 2013. That increase was twice the total increase of ALL I.T. job postings in a comparison of the same period of time. ISC2, the organization that manages the CISSP certification, projects that there will be a 1.5 million job deficit between CISSP-wanted and CISSP-certified in 2020.


With all of that in mind, it should be no surprise that the rumors at Mandalay Bay and MGM Grand this week have been about the potential of IBM acquiring Resilient Systems. Resilient Systems has built an Incident Response Platform that focuses on process automation. One way of addressing the skills shortage is to automate as much of the security work and processes as possible, lowering the headcount requirement for organizations. In that approach, if good automation platforms and tools are available then buy them because good and qualified security professionals are not available.


But it has not just been IBM acquisition rumors that speak to the security skills shortage. We attended a roadmap roundtable on the IBM QRadar SIEM this week and (without violating our NDA) we can report that most of the features and functionality being currently worked on and planned for the QRadar platform revolve around automation and integration of security tools that will relieve workload and increase effectiveness of existing staff. While QRadar is in an industry leadership position for SIEM, this trend is not unique to IBM.


One takeaway from the heavily-populated and vast hallways of the Mandalay Bay and MGM Grand Conference Centers, is that the Security Vendors may be able to make the biggest positive impact in closing the security skills gap for Enterprise Information Technology.