Where are all the cyber security pros?

Written by Joseph Poppy on 03/08/2018

Despite living in a world where the internet is becoming ever-more fundamental to everyday life, there is currently a world-wide shortage of cyber security professionals who are able to keep it all secure. Within four years this shortage is expected to reach 1.8 million. According to a study from 2018, only 35% of the enterprises involved felt they were adequately staffed to deal with cyber-attacks. 35% is not a good percentage. No one has ever been inspired by a half-time team pep-talk that concluded with ‘now, I want you to go out there and give 35%. Sure, you might not win, but at least you can say you turned up.’

It seems odd that this is the case, considering global spending on cyber security was estimated as hitting £70 billion in 2018. With this kind of money, you’d be expecting hordes of people to flock to the industry looking to get their share. Why then are we in this predicament, and what does it mean for information security?

Too much demand

Like everything, a large part of the issue is one of supply and demand. In this ever-connected world, threats are persistent and ever evolving, coming from all over the world at any given time. In the bizarre age of cryptocurrency and subsequent cryptomining, there are stealthier, more efficient ways for criminals to monetise hacking, leading to more people ‘giving it a go’. It may well be that recruitment and industry staff levels will never match the number of threats.

Products or people?

Just because spending on cyber security is high, it doesn’t mean this money is being put in the right places. I have no doubt that many companies are spending unnecessarily large sums on the latest, top of the range products assuming that will keep them safe. This is a reasonable assumption for them to make, as this is often how products are marketed. However, cyber security isn’t just about the tech.

Many companies will spend a great deal of money on setting up their own SIEM for example. They’ll set it to alert them to potential threats, only to turn it off when they get bombarded by false positives. They’ll set it to gather every log from all possible sources until they’re drowning in them, with no clue as to what to look for when something actually goes wrong.

The technology is all well and good, but only if you have people who know how to use it effectively. In fact, it may well be the case that businesses are spending unnecessarily on new products, when really they simply weren’t getting the most out of their original set-up. If you’re going to spend a lot of money on fancy gadgets and the latest software, it makes sense to have the relevant security professional who knows how to configure it correctly and, more importantly, what to look at when it’s saying something is amiss.

Public image

In the 90s, mainstream media depicted anyone involved in cyber security (or anything cyber for that matter) as either a murderous robot or as a nerd cloistered in a darkened room. It was less than flattering. Even today, a lot of people do not view information security as a valid career path, or perhaps more importantly, fail to see cyber security as being different to general IT work.

Cyber security is not necessarily a glamorous life and involves significantly less fancy graphics or frantic typing than the movies would have you believe, but it is certainly a ‘valid career path’, which is possibly the driest way of putting it. However, the industry still has a certain reputation hanging over it. Its public image is not necessarily one that suggests success and fulfilment. Image is always important, so this is something that will have to change significantly before we see any improvement. For our part, we’re often found at industry events and expos trying to show cyber security is as exciting as we know it to be.

Awareness is key

Could it be that it all comes down to marketing? Well, that’s a factor. There seems to be a distinct lack of awareness that skilled security professionals are needed. More importantly, it needs to be established that people can make a good living in this industry. The fact is, it has an incredibly low unemployment rate (roughly around 2%) and the starting salary for an information security analyst in the UK can be surprisingly competitive.

In our current climate, with the right strategy the supply could very well meet demand.

In the meantime

Whilst that’s all well and good, what are businesses supposed to do in the meantime? They can’t wait until the shortfall in cyber security professionals is resolved. The threats are real now.

The solution in this case may involve outsourcing, particularly for smaller businesses. For example, a managed SIEM service with active threat hunting could help keep a business secure at a reasonable price. Outsourcing this will give a businesses access to a Security Operations Centre (SOC) as well as a team of trained analysts, saving them the trouble of recruiting these rare creatures themselves.

In the case of Bulletproof, we combine great technology and software and (most importantly) put highly skilled professionals behind it. This allows us to monitor a company’s environment 24/7 and immediately investigate any potential threats.

It is no surprise that these sorts of solutions are growing in prominence as they not only provide an effective layer of cyber security, but also make up for the current shortage of trained cyber gurus.

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.