Without skilled professionals running the operations, how effective are our security systems? More importantly, how mature are these security systems?
According to Hewlett Packard Enterprise’s newly released study, State of Security Operations Report 2016, companies are failing when it comes to security monitoring and goals. The report measured four areas of performance in security maturity: people, processes, technology and business function. As the report stated:
The reliable detection of malicious activity and threats to the organization, and a systematic approach to manage those threats are the most important success criteria for a mature cyber defense capability.
The results were not good. Only 15 percent of companies met the maturity levels, and something that the report lists as a trend gives us a glimpse into why companies are failing:
Access to skilled security resources continues to be the main concern of enterprises. To deal with this, organizations are moving toward hybrid staffing and hybrid security infrastructure models.
The lack of adequate security staffing, the report added, leads to streamlining incident investigation and remediation.
The HPE report found that companies are looking for outside help to meet these security demands, but this obviously isn’t the solution, considering that maturity failure rate. It’s clear that there is a real need for cybersecurity professionals. Colleges are producing graduates with degrees in cybersecurity and risk analysis and other skills that security pros need. So why is there a shortage of skilled personnel?
One reason could be supply and demand. This is still a relatively new field, and it is struggling to find bodies to enter the profession. As Michael Brown, CEO at Symantec, stated in a CSO article last summer:
The demand for the (cybersecurity) workforce is expected to rise to 6 million (globally) by 2019, with a projected shortfall of 1.5 million.
There is also a lack of professional development for security professionals – or IT folks who are in charge of security. As Security Intelligence put it, too many C-level executives still aren’t buying into the need for better cybersecurity or they think that if employees have certain certifications, that’s all they need. Security, as we know, is ever evolving because the criminals try to stay one or two steps ahead of the defenses. If your professionals aren’t able to keep up with the criminals, security is going to fail.
And that’s the point that the HPE study tries to make. As Chris Triolo, vice president of Security Product Global Services at HPE, was quoted by Infosecurity Magazine:
Organizations are investing heavily in cybersecurity, but the lack of skilled resources and the deployment of advanced solutions without a solid SOC [security operations centers] foundation in place remain top concerns.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba