Shortage of skilled employees in IT security on the rise: How companies can still win the battle against cyberattacks
by Svenja Koch
If a company's own IT security can no longer fully perform the necessary tasks for comprehensive cyber defense, serious losses in the company's IT and information security quickly become apparent. For this reason, alternatives and strategy changes are necessary to reliably defend against cyber threats.
Shortage of IT specialists and no improvement in sight
The situation in IT security has become more acute over the past few years. Advancing digitalization and the increased focus on mobile work and the cloud have created new cyber threats. Added to this is the increased attack activity by hackers. Targeted and intelligent cyberattacks, in which cybercriminals focus on specific infrastructures, are putting IT security under increasing pressure.
Added to this are developments since the start of 2020, with the Corona pandemic ensuring that the digital world of work has changed faster than planned. While the home office trend has been around for years, the number of employees working from home has increased much faster since the beginning of 2020 than in previous years. This has led to new cyber threats. Hackers are increasingly perpetrating cyberattacks against the newly created vulnerabilities in corporate networks. In response, companies are in turn being forced to strengthen IT security. This has further exacerbated the IT skills shortage.
According to analysis, around 1.5 million IT security jobs were unfilled worldwide at the end of 2020. The most common reason for this state of affairs is the shortage of IT specialists. However, this development does not come as a complete surprise. Back in 2018, the Cybersecurity Workforce Study predicted that Europe alone would be short about 350,000 IT security specialists by 2022. At that time, the Corona pandemic was not yet in any planning, so the real situation is very likely to be even more explosive. It can therefore be assumed that the shortage of IT specialists will remain a permanent condition for the foreseeable future.
At the same time, the current IT security situation requires investment in IT. To be prepared for future cyber threats, special solutions as well as experienced IT security experts are required. Without such upgrades in the area of IT security, companies run the risk of suffering significant damage from cyberattacks. According to experts, this situation will also become even more acute in the future. Cyber criminals are becoming increasingly sophisticated and targeted. Even today, classic IT defense measures such as firewalls and antivirus programs are overwhelmed by such attacks.
In addition, the trend towards cloud solutions is continuing. Companies are relying less and less on on-premise solutions and are outsourcing services, applications or even the entire infrastructure to the cloud. Direct, physical access to servers and workstations is then no longer possible. For this reason, IT security monitoring of a company's own infrastructure is also becoming an increasingly complex task. Even medium-sized companies already have very branched networks in which a wide variety of cloud applications, employees' mobile notebooks and home office structures are integrated in addition to the LAN in the corporate area. The workload for the IT department is therefore also continuing to increase in this area.
How to compensate for the shortage of skilled workers - and strengthen your IT security
Companies have various options for responding to the shortage of IT specialists. Primarily, there are two methods to be mentioned here. One is to promote the necessary qualifications within your own company. Secondly, there is the option of increasingly relying on managed security services.
The first option, training and educating the company's own staff, is a lengthy and time-consuming task. Moreover, there is no guarantee that this investment in knowledge will remain within the company. After a few years, it is quite possible that the highly trained personnel will leave the company, especially since a higher qualification is also accompanied by an increasing salary. For small and medium-sized companies, training their own staff is usually not an option anyway. During the training sessions, temporary replacements have to be found in the IT department. In addition, such training courses are cost-intensive. Accordingly, there is usually a lack of resources as well as the basic requirements for training IT specialists in one's own company.
One thing is certain: anyone who neglects IT security in the current climate is exposing their organization to incalculable cyber threats. Successful and undetected cyber attacks have far-reaching effects. These range from system failure and loss of data to blackmail.
Managed Security Services - The solution to the IT skills shortage?
Managed Security Services are external services offered by companies in the IT security industry. The main advantage for users is that they are easy and quick to implement. Managed Security Services operate autonomously and via the network. From there, ideally, there should be seamless protection against cyber attacks around the clock.
Many companies are considering setting up their own Security Operations Center (SOC), where a dedicated information security team monitors, detects, analyzes and remediates cybersecurity incidents. Ideally, this is done 365 days a year, around the clock. Security analysts at FireEye believe that 15 full-time specialists are the minimum requirement for a SOC for this reason. This is because the activities of hacker groups are not tied to German core working hours, as they can be located anywhere in the world. The SOC manager is joined by analysts and intelligence experts, as well as administrators and engineers, who must guarantee smooth operations around the clock, even during vacation and sick leave.
Compared to setting up a Security Operations Center (SOC), Managed Security Services offer other clear advantages. In-house IT security requires significantly fewer employees. Nevertheless, 24/7 protection against cyber attacks is available and specialists in their field work at the service providers offering the service. In this way, companies cleverly circumvent the shortage of IT specialists. With Managed Security Services, small and medium-sized companies in particular gain access to IT security at a level that would otherwise be almost impossible to finance. This is another advantage of external Managed Security Services. They are significantly less expensive than an in-house security operations center, while offering better protection against cyber threats.
There is a wide range of offerings in the area of managed security services. These include, for example, continuous vulnerability management, in which the network is continuously scanned for new vulnerabilities, or incident response and threat hunting services, which proactively detect and report anomalies in the company's own network 24/7.
For example, secion's Vulnerability Management is a managed security service for searching for vulnerabilities in a company's own network, ensuring that vulnerabilities are continuously detected, investigated and prioritized across the entire attack surface. The automated vulnerability management scans the IT infrastructure for missing security updates, incorrect configurations or the use of insecure passwords, among other things. The final report provides recommendations for action and categorizes the vulnerabilities found: The Vulnerability Management Tool identifies critical vulnerabilities as well as vulnerabilities with low or medium relevance. Based on this categorization, the on-site IT department has a clear idea of which vulnerabilities need to be addressed and with what priority.
Also in the managed security services category is the Active Cyber Defense service (ACD). The ACD service is a proactive defense against cyber attacks. The ACD service constantly scans all operations on the network, looking for suspicious anomalies. Among other things, it does this by analyzing log files of programs and hardware components in real time. The Active Cyber Defense Service looks for conspicuous communication patterns that indicate cyber attacks. This includes, for example, connections to so-called command and control servers, which hackers use to communicate with the ransomware in the target network during cyber attacks. With the Active Cyber Defense Service, it is possible to detect cyber attacks at an early stage, before they cause any damage. In the event of suspicious actions, the company's IT security managers receive immediate notification. This enables a rapid response to unauthorized actions in the company's own network.
Another Managed Security Service concerns the area of Incident Detection & Response. The IDR system analyzes changes to processes and user accounts as well as authorizations. This provides companies with immediate information when changes occur in these areas. These are signs of unauthorized activities, which serve as preparation for cyber attacks, among other things. Implementing an IDR system significantly accelerates enterprise threat analysis, detection and response.
With the functions outlined, managed security services complement in-house IT security. As a rule, the services do not require on-site installation and data transfer to external servers is not necessary. Ideally, data evaluation takes place entirely on the company's local infrastructure, so that the Managed Security Service also meets the high requirements of the European General Data Protection Regulation with regard to data management.
The current shortage of qualified staff in the IT industry is not a temporary state of affairs. The development has already been apparent for years. The shortage of skilled workers in IT will continue in the future, and in all likelihood will even increase. The reasons for this lie in the increasing cyber threats as well as the change in the working world, towards mobile work and the home office.
For these reasons, the use of managed security services will not only become an alternative or supplement to a company's own IT security concept, but a necessity. The scope and range of these services will continue to increase. Accordingly, the integration of managed security services will offer companies a wide range of benefits in the future, from access to state-of-the-art technologies and cost savings to the avoidance of bottlenecks in specialist personnel for their own security operations center. Small and medium-sized enterprises in particular benefit from external services and thus achieve a level of IT security that is usually impossible to build up with their own resources. Decision-makers are therefore already well advised to include Managed Security Services in their own IT security strategy.