As the volume and sophistication of cyberattacks continue to rise, many CIOs are increasingly concerned about their ability to thwart online criminals. And there is good reason to worry. According to a new Symantec report, 57.6 million new malware variants alone appeared in June this year, up from 44.5 million in May and just 29.2 million in April.
And according to the “State of Cybersecurity: Implications for 2015” — a global survey of cybersecurity and IT managers and practitioners conducted by ISACA and RSA Conference — 77% of organizations experienced an increase in attacks in 2014, and 82% expected to be attacked in 2015.
At the same time, IT security personnel are getting harder to find. According to (ISC)², there will be a total shortage of 1.5 million IT security professionals worldwide in the next five years. This lack of adequately skilled security staff is a major concern for organizations. The ISACA study found that more than one-third of organizations have been unable to fill security vacancies, while 53% said it can take up to six months to find qualified candidates and 16% reported that nearly half of all job candidates were not properly qualified.
Simply put, most organizations today do not have the people or the systems required to monitor their networks effectively or consistently. The number of IT security professionals available has not kept pace with the growth of technology and its increasingly important role among the majority of businesses.
And with such high demand, the security professionals who do exist can seemingly “write their own ticket,” choosing the company, salary and benefits that appeal to them most. According to (ISC)², the global average annual salary for a certified security professional is now $101,014, with 58% reporting that they received a raise in the last year.
The bottom line? Most companies looking for more IT security staff aren’t going to find them. Relying on technology alone to flag a sophisticated attack is not enough; it typically takes a person to do that well. Therefore, new approaches are needed to ensure both public and private entities get the personnel they need to address IT security challenges.
Creative solutions
Some companies, such as United Airlines, Google, and Facebook, have recently used “bug bounty” contests to attract freelance hackers who, in exchange for a significant prize, attempt to locate system vulnerabilities for the organizations. But those are only temporary solutions inadequate in today’s dynamic technology environment.
Instead, CIOs may need to get creative to help solve their IT security challenges. One idea — called “swarming” — involves people from a variety of organizations working together to address a security problem. Similarly, some CIOs are developing relationships with their counterparts in other organizations to determine ways they might cooperatively address IT security threats.
While creative new ideas are certainly welcome, efforts also need to be made to get more young people involved in pursuing IT security career paths. (ISC)² is attempting to help in this area by creating educational awareness, connecting with students in primary and secondary schools, and forming partnerships with universities.
Eventually, the numbers may increase. For now, creativity may be the best tactic that CIOs can employ to help solve their IT security challenges.