There is a negative unemployment rate in IT security, which has led to a shortage of available talent in the market, with many firms unable to attract or evaluate key security talent.
According to a Peninsula Press analysis of numbers from the Bureau of Labor Statistics, there were 209,000 unfilled cybersecurity jobs in the U.S. in 2015, with information security job postings up 74 percent in the last four years. And demand for security skillsets is up 300 percent in the last 12 months.
Additionally, many firms have not come to terms with the compensation required for keeping IT security talent, leading to turnover.
For organizations running understaffed IT security teams, maintaining robust security when there are unfilled positions—or a limited budget—can be a major challenge.
"One of the greatest concerns companies should have is around visibility," Andrew Howard, chief technology officer at Kudelski Security, said. "You don’t know what you do not know. With a limited IT staff, firms are unlikely to have the visibility necessary to identify their weaknesses or a breach."
Howard explained prioritization of investments should also be a major concern for these types of businesses, explaining that in a situation where there is more demand for security staff than supply, prioritizing the right activities is paramount.
"Why are you digging a deeper moat when the front door is open?" he asked.
Yet another concern organizations with limited security resources have to worry about is shadow IT—without an IT security group effectively enforcing security policies, shadow IT is likely rampant, leading to additional unseen and unmanaged enterprise risk.
In order to protect themselves, businesses need to be smartly migrating key services to the cloud and to managed service providers can help strengthen the security program and reduce the number of assets the security staff must protect.
"Smart outsourcing includes the cloud," Howard said. "Who is likely to have a stronger security staff, a medium-size enterprise or one of the top three cloud providers?"
He noted that segmentation is also important, as all assets should not be protected equally; Howard recommends focusing the IT security staff on the most important assets and segmenting those assets from the corporate network.
With the competitive marked for IT security pros unlikely to relax in the near future, Howard said he expects enterprises to move more of their infrastructure and security controls to third parties including managed service providers.
"There just is not enough talent out there for the average firm to 100-percent in-source their security program," Howard said. "From a technology perspective, you should expect to see innovation around automation over the next few years. We also expect the talent gap to get worse before it gets better."
Richard Turner, Barracuda Networks’ cloud product marketing manager, said as a company that works with thousands of midmarket customers to solve security challenges with limited IT staffs, this is one of the main concerns they hear on a daily basis, particularly among midmarket businesses.
Turner said one of the ways businesses with limited IT budgets can maximize their defenses with minimal staff is not only be cloud-ready, but have options for deploying in public cloud environments, and securing cloud business apps like Office 365 and Salesforce.
"Current threats like ransomware are also a top concern, which is why it’s important to work with security vendors who understand how these threats work and the best ways to keep businesses safe from them," Turner said. "It’s also important to keep in mind that staffs don’t know what they don’t know."
He explained because cybersecurity moves faster than in-house security staffs, business need to find vendors on whom they can rely on, as "doing it themselves" is no longer feasible.
"Building and staffing a team focused on end-to-end cybersecurity is expensive – many of our clients are outsourcing security functions like authentication, threat intelligence or identity access management to managed security providers to get around that constraint," Karsten Scherer, TEKsystems global analyst relations lead, explained.
He said one thing organizations should consider is an employee training and awareness program, noting awareness and solid training can go a long way in avoiding breaches.
He pointed to PricewaterhouseCoopers’ recent State of Information Security Survey, which found current employees as the biggest single driver of security incidents.
"The majority of those aren’t malicious, but rather user error," he said. "Companies should think of their employees as their human firewall."