Thursday, June 27, 2024

InfoSec Market Labor Shortage and Predictions

From my personal experience and through conversations I’ve had with many other security pros, we’ve observed that the average level of competency among enterprise InfoSec personnel is either flat or decreasing. And this has been steadily taking place for several years. This occurs despite the plethora of widely accessible educational content and professional training options. This is important to note because in order to remain effective the operational environment of InfoSec also requires professionals to learn an ever-expanding knowledge base. As an every expert will attest, this is a significant challenge for every individual and organization.

Then as businesses digitize essentially every product and service in modern life, today’s IT environments have become incredibly sprawling and more complex by the day. This level of complexity, and the associated legacy IT backlog, makes it exceptionally difficult for practitioners to comprehend, monitor, and maintain robust security of the environments they’re meant to defend.

The InfoSec market is growing rapidly ($172B annually with 10-12% CAGR), leading to a high demand for skilled professionals across the corporate spectrum. The demand and subsequent skill gap are exacerbated by new and emerging technologies such as IT/OT, cloud, virtualization, microservices, blockchain, low-code/no-code, new programming languages and frameworks, and of course, AI/ML. 

Nobody can claim expertise in all these areas or even close. Additionally, InfoSec does not have structured and widely available pathways to onboard entry-level talent. Hiring managers also commonly struggle to accurately assess the level of expertise of potential hires due to the nuanced and complex nature of InfoSec skills.

In the near term, there are no scalable options yet on the horizon to broadly address these labor issues, and we have every indication and expectation that the skill gap will remain and likely even widen. If so, and for lack of better options, we can only expect organizations to continue placing inadequately trained and inexperienced personnel to fill vacant security roles who operate closer to program managers. This is a reasonable approach given the current constraints.

Subsequently, many organizations lack confidence in their ability to sufficiently protect their environments from breaches — and for good reason. Many practitioner surveys published over the years support this observation. While some people will suggest substantive wage increases as an immediate solution, to which I don't necessarily disagree, doing so can only help individual organizations. The larger net effect can only serve to shift labor shortages from one area of the market to another and will do little to solve the overall industry shortage.

  1. An increasing number of organizations and their security programs will rely upon Managed Security Service Providers (MSSPs) for third-party assistance — especially MSSPs who are willing to take on contractual liability. Of course, reliance on MSSPs does not necessarily solve the core challenges; it only transfers the security problems from organizations to the MSSPs. Security product innovation remains a crucial component of the market. The MSSP market winners will be those capable of offering a comprehensive suite of security controls capable of keeping up with an evolving threat landscape. That said, no amount of technology automation in any segment of InfoSec completely removes the need for human expertise. Therefore, the MSSPs who can best hire, train, and retain top talent will have the long-term competitive edge.
  2. If an increasing percentage of InfoSec budgets are going to flow through MSSPs, this becomes an increasingly attractive go-to-market strategy for both incumbent security vendors and start-ups alike. Especially for those capable of integrating seamlessly into the current MSSPs technology stack and processes.
  3. Businesses are finding that cyber-insurance is becoming compulsory. And it makes sense because if you feel that you can’t protect against the breach, at least protect against the monetary loss. So we’re going to see an expansion of cyber-insurance carriers, both large and start-ups, offering insurance packages that come with a suite of security solutions bundled in — for free. The question is, will they build these technologies themselves, partner for the capability, or make acquisitions?

My prediction is: All three.

1 comment:

Anonymous said...

I've seen a contraction of cyber insurance carriers and much more scrutiny from the remaining carriers before they'll agree to offer coverage. Many carriers have lost their shirts and pants due to excessive losses and not enough due diligence.