Talent Can’t Keep Up with Security Demands

 

In this briefing, we will have a look at the wider issues arising from the current lack of infosec talent in the workforce and how they can be counteracted.



 

What’s the problem?

 

Websites and products keep getting hacked. This is not surprising by itself, but recently we are seeing a trend of well-funded major operations failing to meet even basic security requirements. Without singling out any individual company in any particular field, let’s look at 3 fictional examples of companies that keep getting hacked over and over.



 

The Crypto Currency Exchange

While many smaller exchanges manage a modest value of currency, the larger ones (who keep getting hacked) manage hundreds of millions of dollars worth in crypto assets. Most of the larger exchanges have significant monthly budgets set aside for infosec. Still, barely a month goes by without an exchange getting hacked and millions being stolen.



 

The IoT Maker

From smart light bulbs to virtual assistants to automatic coffee makers, the IoT trend is going strong. Subsequently over the last 5 years, many major and reputable technology vendors have now entered the market. However, security standards remain so low that governments have started scanning their own IP spaces to detect vulnerable IoT devices before attackers do.



 

The Payment App

Starting from 2018, there has been a gold-rush for payment apps. While originally concentrated mostly in China, the trend of paying with QR codes has rapidly spread across Asia and into the west. At this point, a new QR based payment app launches somewhere in the world almost every week with supermarkets, online sellers and convenience stores all desiring their own solution. Unfortunately, incidents where these apps are hacked and either customer data or money is stolen are just about as frequent as the launch of a new app.



 

Why is security so poor?

 

While there are many factors in play, one key issue is often overlooked: Non-IT and Non-InfoSec companies struggle to attract infosec talent. This is not really surprising. People work for money and career prospects. In a very competitive market, someone with substantial skills will always gravitate to the employers that provide both. This means that specialized information security companies, IT giants and big consulting firms will usually have the best offer. With a lack of talent in the pool, this means that many of the smaller companies either hire infosec staff that is underqualified or leave the task of handling infosec to developers altogether.

To put it polemically, no-one with top-tier infosec skills and experience aspires to work for a convenience store - even if it is for that store chain’s development unit.



 

What can companies do to combat this issue?

 

There are two ways to help ease the impact of the current workforce shortage:

 
  1. Increase the budget allocated to infosec staff. This explicitly does not mean increasing the budget and then spending it on turnkey solutions from vendors. Anyone who is promising to fix your infosec problems with a piece of software or hardware (firewalls, antivirus, intrusion detection systems, etc) is lying to you to make a sale. Tools are useful, but you need the staff to operate them.

  2. Upskill your existing staff. This means both training infosec specialists inhouse and upskilling your regular workforce on infosec topics. The former allows you to become proactive about your security. The later reduces the risk surface of your company.