Michael Pepe’s June 23 ChannelNomics article, “Outsourcing key to rising security threats, staff shortages” looks at the 2015 Global Information Security Workforce Study conducted by Frost & Sullivan in partnership with the International Information System Security Certification Consortium (ISC2) and others. Researchers polled almost 14,000 information security professionals across various industries—in organizations of all sizes—about their companies’ long-term and short-term security needs and how they hope to fulfill them.
According to Pepe, the study shows that companies are looking to outside providers to fill a widening gap between their information security workforces, systems, and other capacities and their need to combat growing threats.
The study’s key findings include the following:
- By 2020, there will be a global shortfall in the information security workforce of 1.5 million jobs.
- More than 60% of respondents said that their companies do not have enough information security professionals, up from 56% in a 2013 survey.
- Remediation times following systems or data compromises are steadily getting longer.
- Security professionals are in “find-and-react” mode, identifying failures and breaches and addressing security incidents ad hoc; they do not have time to take proactive steps to ward off future problems.
- About 30% of respondents plan to increase spending on managed or outsourced security services.
The study also explored the reasons companies use information security service providers. In their responses (respondents could choose more than one option), 49% of participants stated that their companies lack the necessary skills in-house to meet security needs, 30% cited recruiting limitations, and 18% noted difficulty in retaining staff with the proper training, illustrating that some companies do not have—and will struggle to acquire—the necessary talent.
Pepe notes that companies must exercise particular care when choosing a vendor for outsourcing security functions. The study asked respondents about the most important factors they consider when evaluating service providers: 55% identified price as the most important factor, but 50% said that they seek a provider that will back up its offerings with service level agreements and 49% said that they made their choice based on the amount and quality of service provider personnel. Only 33% cited the number of years a service provider has been in business and just 22% cited brand name, which indicates that there may be opportunities for lesser-known outsourcing firms to gain market share if they offer a great service at a good price and back it up with guarantees.
The study also queried respondents about cloud services (for some tips on how to keep your data safe in the cloud, see our blog post, “Strategies for Data Security in the Use of Cloud Services”). While companies across the board recognize the use of cloud services as a high priority, cloud service technology can pose serious data security concerns. Respondents expressed concern regarding data breaches (76%), data loss (73%), account hijacking (61%), malicious insiders (59%) and insufficient due diligence (57%). Service providers with cloud-based offerings will need to assure consumers about their ability to address cloud security concerns and highlight their security features and expertise as selling points. Respondents said that they would favor providers with specialized cloud security skills, with 66% of respondents stating that they would like to see providers acquire more knowledge about applying security controls to cloud environments and 65% asking for service providers with enhanced knowledge of cybersecurity threats and vulnerabilities.
As security threats evolve and companies seek to meet the challenges of the changing technology landscape, the trend of companies seeking outside help from security vendors will likely continue to grow.