The Labor Shortage
If you haven’t noticed yet, the U.S. Economy is booming! The U.S. unemployment rate reported for May stood at 3.8%. Not too many years ago, 5% unemployment was considered by most economists as full employment. For information security teams, this translates into a huge labor shortage. The Wall Street Journal recently reported the “…demand for cybersecurity workers is outpacing supply by so much that by 2022, North America will have 265,000 more data-security jobs than skilled workers” And it’s not just in North America. Australian press has reported there is a serious talent war over the shallow pool of risk managers in Australia. While in the EU and U.K., the rise of the data protection officer is the hottest tech ticket in town as a result of the EU General Data Protection Regulation.
Going up: Data Breaches and Vulnerabilities
All of this demand for information security professionals coincides with a massive information security workload.
(1) The Breach Level Index indicates that breaches are continuing to grow nearly 100% per year:
(2) According to the NIST National Vulnerability Database statistics, vulnerabilities continue to increase dramatically in number and severity.
Executive leadership is rabid to go digital fast, and information security teams have to figure out how to keep up in order to protect the organization. According to the KMPG 2018 Global CEO Outlook Survey
- Only 37% of companies, across all industries, have on average, converted to digital. That means there’s still 63% to go.
- 91% of U.S. CEOs are personally ready to lead a radical operating model transformation
- 59% believe agility is the new currency of business
Information Security Governance Changing
The information tech talent shortage coupled with increasing breaches, increasing vulnerabilities and accelerated change have largely undermined the confidence CEOs have in their organization’s information security programs.
These forces have led to greater scrutiny of information security by Executives and Boards of Directors, who are now mostly requiring that IT Security budgets be approved by them directly, while CTOs, CIOs, and CISOs appear to no longer have much autonomy over their budgets.
Not only is budget approval of information security programs being escalated higher in the organization but leaders and boards want to know that the money they are allocating is having a positive impact. A recent Deloitte poll of more than 1,130 C-suite and other executives indicated that 62.7% believe Board of Directors will expect better reporting on the effectiveness of their cyber security program.
Where are all of the Security Professionals?
All of these factors are congealing into what I would call a mega trend for information security professionals. The technical and human resource challenges of information security must be countered with smarter and more efficient risk management. Risk management teams must adopt business context-based information security risk management to prioritize initiatives and communicate with the C-Suite and Board (RSA calls this Business Driven Security); and they must implement tools across all aspects of information security risk management and governance that efficiently recaptures precious time from each team member so that it can be reallocated to more important problems. It is only in this way that information security leaders stand a chance to survive this mega trend.