The acute phenomenon of the cybersecurity skills shortage
Despite ongoing efforts to train recruits, it doesn’t appear that the cybersecurity skills shortage is going to abate any time soon. A survey of 301 IT and cybersecurity professionals conducted by Enterprise Strategy Group, an arm of TechTarget, on behalf of the Information Systems Security Association (ISSA) International, finds 71 percent reporting their organization is being impacted by the cybersecurity skills shortage—up from 57 percent a year ago.
Nearly all respondents (95 percent) said the cybersecurity skills shortage and its associated impacts have not improved over the past few years, with 54 percent saying it has only worsened. More than a quarter (27 percent) said the impact of this shortage on their organization has been significant. Eighty-eight percent said it is either extremely difficult, difficult, or somewhat difficult to recruit and hire cybersecurity professionals.
The impact of that shortage includes increased workloads (61 percent), unfilled open job requisitions (49 percent), high burnout among staff (43 percent), and an inability to fully learn how to use cybersecurity tools (39 percent), according to respondents. Areas where the security skills shortage is most acute are application security (38 percent), cloud security (37 percent), security analysis and investigations (27 percent,) and security engineering (26 percent).
Most respondents (60 percent) also said their organization could be doing more to mitigate the cyber skills shortage, with over one-third (36 percent) stating that they could be doing much more.
Skills shortage means opportunities for MSPs
Managed service providers (MSPs) are, of course, also impacted by the cybersecurity skills shortage. Still, the key difference is that the same skills shortage creates opportunities for MSPs willing to invest in the tools and training to manage cybersecurity at scale. MSPs have always enjoyed a skills advantage in the cost of acquiring and retaining that expertise can be distributed across multiple customers that benefit from the services provided. In contrast, organizations that hire their own IT and cybersecurity professionals must entirely absorb that cost.
MSPs generally also provide better pay and access to training than what is typically afforded by an internal IT organization, so they have a much better chance of attracting the best and brightest to join their ranks.
Finally, MSPs are generally in a better position to invest in automation to drive down the cost of delivering a service. That’s critical in an era where competition among MSPs remains fierce.
Overcoming internal IT objections
Despite all these advantages, however, only a few organizations still opt to hire their own IT and cybersecurity personnel. Reasons behind this include everything from cultural inertia to a tendency to have more control of the cost of subscribing to a managed service and the perceived value of those services.
Every MSP knows that when it comes to convincing business and IT leaders to rely on a managed service, there are a lot of objections to overcome before any deal gets signed.
However, when it comes to managed cybersecurity services, those same business and IT leaders are increasingly coming to terms with the limitations of their internal IT teams. Asking a handful of understaffed and underfunded IT and cybersecurity teams to defend an organization is nothing short of a mission impossible. That doesn’t mean there will never be a cybersecurity breach if an organization contracts an MSP, but it does mean the odds of one are greatly reduced. It also means the amount of time to recover from a cyberattack will be much shorter.
One issue MSPs face, as always, is simply getting a chance to make their case. Given the ongoing shortage of cybersecurity skills, however, there should be a greater willingness to consider alternatives. The issue is determining where an organization encounters the most acute pain that an MSP is best prepared to relieve immediately.
Photo: LookerStudio / Shutterstock