Lack of skilled cyber security workers is putting businesses at risk

Homeland June 27, 2018

New research carried out by BAE Systems has revealed that half of mid-sized businesses cite a lack of skilled staff as a top security monitoring concern as the skills gap continues to challenge organisations, large and small.

The study commissioned by the Company and conducted via Spiceworks, surveyed 600 IT decision-makers in the UK and the US from organisations with between 250 and 9,999 employees, in a variety of commercial sectors.

The gap between the need for skilled cyber security employees and the people available to fill these roles continues to grow. BAE Systems’ new research shows that the skills gap is the primary challenge keeping organisations from reaching their security goals, with 50% of businesses identifying the lack of staff with the required security skills and expertise as the leading issue. Almost 40% suggest retention and training are also factors, highlighting the difficulty of capturing best practices from experienced staff for more junior employees.

With team resources limited, and the number of alerts and hacking attempts increasing, some IT professionals are turning to technology to optimise and automate their security practices and reporting.

Currently, over a third of mid-sized organisations surveyed (37%) are still investigating alerts manually, and a worryingly 7% — as many as over 1,200 US medium-sized businesses – are doing nothing with the alerts they receive. On average, of the alerts that make it through the current security tools these organisations have in place, fewer than 20% are actually investigated.

Colin McKinty, Vice President of Cyber Security Strategy with BAE Systems Applied Intelligence said: “Lack of skilled cyber security resources is leaving essential work undone, and putting Americans at risk. Alerts go ignored because there are too few team members, and if even one of those alerts was flagging a legitimate threat of an imminent breach, the company has now lost critical time to secure its corporate and customer data, and protect its reputation.”

While 43% of the organisations surveyed are planning to train up existing staff, and 36% plan to grow their team, the skills gap may make this route challenging. Many are instead looking at bringing on new tools to optimise their security monitoring and reporting, to improve security with their existing team and help their security operations run more smoothly. Research showed that 42% of IT professionals plan to buy additional tools — 54% reported seeking security monitoring tools that identify existing vulnerabilities and high priority incidents on the network, and the same number (54%) are looking to reduce the time between a breach and when the incident is reported.

When it comes to the current security tools employed by large businesses (500+ employees), the majority are happy with what they are using, with over three-quarters (78%) reporting they are satisfied or very satisfied with their current tools, and only 7% expressing dissatisfaction. But it is a different story for mid-sized companies: almost one in five (17%) are dissatisfied with their current solutions. The tools employed by smaller businesses put a significant burden on their IT teams — 37% of businesses with between 250-499 employees are manually investigating all logs and alerts.

Mr McKinty explains: “Identifying cyber risks is complex and time-consuming, and every day there is the risk of missing serious attacks before they cause significant impact, compromising company information, and the larger implications and costs associated with a high-profile breach. The future of security technology is real-time. Businesses need to be confident that attacks and risks on their network are being identified as they happen, without the need for large, dedicated security teams, or time-consuming manual investigations of alerts.”

If you would like to join our community and read more articles like this then please click here.

BAE Systems cyber security skills shortage