Most IT security professionals can probably relate to the marine portrayed by Jack Nicholson in the move a “A Few Good Men” more than they care to admit. Perimeters, like walls, have to be guarded by people who have responsibilities that most of the people working inside any organization simply can’t fathom. Unfortunately, the vast majority of IT security professionals that guard those perimeters feel like it’s only a matter of time before there is a major breach in IT security.
A survey of 250 IT security professionals conducted at the recent Black Hat 2016 conference finds that nearly three quarters (72%) of the respondents expect to be hit by a major data breach within the year. A little more (74%) admit they simply don’t have enough people to successfully defend their organizations. That same issue was echoed in a survey of 5,000 IT professionals published this week by Kaspersky Lab that finds 68.5% percent of businesses plan to respond to that issue by increasing the size of their IT security staffs.
But even as IT security budgets increase, actually finding those IT security professionals may be problematic. As demand for IT security expertise increases, so too do salaries. Even if an organization can find an IT security professional, they still may not be able to afford to hire them. Of course, there are efforts under way to increase the size of the available pool of IT security talent. But organizations shouldn’t expect any meaningful help to come over the hill in the form of new recruits any time soon. By the time anyone gets trained in IT security, the threat landscape has usually changed substantially. As a result, the only training that really matters is usually gained on the job.
Because of these issues, more organizations now than ever are starting to invest in IT security automation. There are a lot of lower level IT security tasks that can be automated using machine learning algorithms and other forms of artificial intelligence. While it may take some time to train these systems, they never forget something once they learn it and they don’t quit unless someone actually turns them off. As more of those lower level tasks get automated, it becomes feasible for each IT security professional to cover a lot more of the threat landscape.'By the time anyone gets trained in IT security, the threat landscape has usually changed substantially.' @mvizardClick To Tweet
If anything was learned this week by the revelations that the National Security Agency (NSA) was hacked, it is that attacks are getting more sophisticated. It’s safe to assume that whatever the NSA has, other nation states have similar or even potentially worse capabilities. There’s also no doubt that criminals will be making use of advanced algorithms to create even more sophisticated attacks in the future. The sad fact of the matter is that most organizations are engaged in an IT security arms race whether they realize it or not.
Like most jobs involving the protection of anything of value, IT security is a lonely pursuit. Adrenaline may rise when the time comes to thwart an attack in progress. But the truth is that most IT security professionals are outgunned and outmanned. An external managed security service provider can obviously even those odds considerably. But perhaps the better news is that there is more affordable help on the way; it just may not arrive in the form of another human.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.