Are MSSP’s the Solution to the Cybersecurity Skills Shortage?

Author: Etienne Greeff, CTO & Founder of SecureData

Earlier this month, it was revealed that UK unemployment is at its lowest level since 1975. The jobless rate of 4.7% makes for encouraging reading, but in a report published in the US by Cyber Ventures late last year the IT security sector boasts zero percent unemployment. Today, if you are a security professional you probably feel like the world is your oyster, but if you are trying to recruit talent in to your organisation then you may take a different view.

The director of GCHQ has in recent weeks warned of a “huge skill shortage” by the middle of the next decade, and this shortfall should give everyone cause for concern. Without wanting to sound too over dramatic, the world is at war with the cybercriminals and right now there simply are not enough troops to fill the trenches – we can’t introduce conscription in to the industry! And, to compound matters the regulators are clamping down on malpractice.

A recent Cyber Ventures report suggests that in 2016 there were one million cybersecurity job openings in 2016 and predicts this to rise to 1.5 million by 2019. This is great news, as the message is being heeded that organisations need specialist expertise to help safeguard themselves from inevitable attack, and we are not just talking about larger enterprises.  It is estimated that in 2015, 74% of SMEs in the UK were breached.

What’s more the attacks are growing in volume, with in the region of seven million new malware variants and 17,000 security alerts each week. They are also becoming more complex and sophisticated, with ‘innovative’ new ransomware, phishing and social engineering attacks.

As is the nature of supply and demand, the deficient of cybersecurity professionals with the right CV means that those with the necessary credentials come with high salaries – a CISO can command between £98,250 and £149,500, whilst an Information Security Manager can expect up to £97,500 per annum). However, it is also true that they are under increasing pressure, not just from the external threat vectors, but the internal challenges placed upon them to be a ‘cybersecurity everyman’, with one person expected to perform the diverse duties of two or even more people.  The Center for Cyber Safety and Education found that 66% of UK companies do not have enough information security personnel to their needs.

A word of warning, if you are lucky enough to have one or more of these people in your organisation right now, know that other businesses (both private and public, domestic and overseas) are trying to lure them away this very moment.

To confuse matters further, organisations are being bombarded with promises from technology vendors that if you buy solution X, Y and Z all your security and compliance problems will be solved. Walk the lanes at Infosec in London in June and you will probably walk away with more questions than answers.

What is happening today (I add the caveat – in some instances) is that in the absence of the requisite experience, skills and strategy, organisations are operating on a purely tactical basis, unable to see the ‘big picture’. This is especially true at the smaller end of the SME community for whom paying a CISO or Information Security Manager’s salary is out of the question, and as such have been priced out of the market. So, as attack vectors grow exponentially, so too does the amount of ‘kit’ that is being deployed (often in vain) to counter them. In fact, it is predicted that spending will exceed $1 trillion from 2017 to 2021. Furthermore, as businesses evolve through digital transformation and Cloud adoption, the scale of the task at hand grows too. However, it does not all make for bleak reading and there is light at the end of the tunnel.

Organisations are getting a handle on things and many have realised that one way to tackle the skills shortage is to turn to Managed Security Service Providers (MSSP’s) for some or all the IT security function. It is no coincidence that in the face of a skills shortage that shows little sign of righting itself soon, the MSSP sector is the fastest growing services segment. Today, it is growing at a rate faster than the security software market, with reports of CAGR of 13.2% for MSSP and 7.4% for security software.

MSSP’s are an increasingly attractive proposition for crème de la crème of security professionals, giving them the opportunity to utilise their skills across a range of different organisations and infrastructures, as well as working alongside other experts, helping them to develop their knowledge and expertise further. For the organisations, they get access to this talent pool without the worry, or associated costs of finding and replacing personnel. What happens if you get hit with a ransomware attack and your security guy is on holiday or off sick?

Crucially, MSSP’s know the latest skills, qualifications and experience that are required to perform in this ever-changing environment, whether it is perimeter and application security, vulnerability scanning, threat detection or compliance monitoring.

Looking to the future, there is much work to be done to attract the very best talent to the cybersecurity industry and that means addressing the gender gap and getting cybersecurity education in to schools (currently only 12% of the workforce is under 35). It was heartening to hear last month that the UK Government has earmarked £20 million to teach teenagers about cybersecurity. If we can engage them early it is addressing two problems, namely the personal threat of cybercrime and the subsequent national impact, as well as making the industry one that is appealing to build a career in.