The DC, Maryland, and Virginia area has a pretty substantial base of IT talent for a number of well established factors. Those black buildings down in Fort Meade would rank high on that list. You find other hot beds for these skill sets in California’s Silicon Valley (and San Jose / San Diego to an extent), Austin Texas, and Atlanta’s longstanding tradition of solid security companies. The disturbing part: we still are falling incredibly short on the sheer numbers required to battle the cyber threat.
Our friends at the Baltimore Cyber Technology and Innovation Center (CTIC) took a hard an fast look at the problem in their recent Jobs Report (PDF), finding nearly 340,000 cyber security related job postings nationwide across over 18,000 companies. The report goes on to break down the jobs by titles, educational requirements and certifications. There are literally thousands of openings for Systems Engineers with CISSP’s out there.
With this much pent up demand and limited supply, insourcing talented engineers has become nearly impossible for the mid market. Having to pay top dollar for even mid level specialists creates a class warfare model, where larger organizations flushed with cash can buy protection, and smaller organizations are left to go it alone. Even if you find someone enabled with the right set of skills, can they stay current with the threat landscape while fully tasked?
The natural path for many is outsourcing. Find an IT security managed services provider to monitor your firewall, or IDS. This can be very effective for organizations looking to check off the compliance box, but are you more secure? Maybe… maybe not.
With the pace at which this world moves, the likelihood that a small to mid size organization will be successful with either model exclusively is low. Balance is everything. CSOs must champion inside assessment while contracting outside audits and pen testing. Internally build risk management aptitude and align with committed, highly skilled outside partners who have eyes on the threat and a clear understanding of your business.
Until we figure out how to genetically clone high dollar specialists, we are left with a gap that can only be filled by everyone being elevated artificially. Call this the prosumerization of security. Simply put, it has to be made easier for all of us to collectively succeed. Tools must be easier to use, easier to interpret and easier to access. The hardcore will call me a heretic, but it is the truth. There aren’t enough of us. Not even close.