There’s broad agreement the IT industry is facing an unprecedented skills shortage. There are over 209,000 unfilled IT job openings in the U.S. and job openings are expected to grow 53% through 2018. However, IT executives and workers disagree over what to do about the growing skills gap. Underscoring the disconnect, these two groups don’t even agree about which skills will be important in the next five years. That’s according to a recently released report from the Cloud Security Alliance (download a free copy here) based on survey of over 200 IT professionals. The skills shortage is particularly acute for IT security teams due to a rapidly changing threat landscape that is resulting is more and costlier data breaches.
Previous studies have found the single greatest barrier to effectively detecting and stopping data loss is a lack of skilled security professionals. IT security budgets have not been reported to be a significant barrier to effectively stopping security incidents. That’s due in part to companies maintaining or increasing their security budget. IT security budgets increased or remained flat for 92.5% of companies in the past 12 months and a slightly higher percentage (94.3%) expect their budgets to increase or stay flat in the next 12 months. Nearly half of companies increased their investments in IT security in the past year (44.5%) and an even greater number (53.7%) expect to increase their investments in IT security in the next 12 months.
Rather than budgets, IT departments are struggling to recruit and retain IT workers with the right skills. Due to rapid changes in IT environments, the skills needed to be successful in IT are changing and there is a shortage of IT workers with this new skill set. Views differ on the best way to deal with this shortage. Across all IT professionals, the most popular idea (37.1% of respondents) is to increase hiring of junior IT professionals and invest in training them. That’s followed by increased training of existing security teams (32.3%) and a longer term program of increasing the number of collegiate majors focused on security (18.3%) to fill the applicant pipeline in future years and decades. The least popular idea is outsourcing work overseas.
When asked which IT skills are needed in this new environment, 80.4% of IT professionals responded that managing an incident response would be somewhat more important or much more important in the next five years. Another 74.7% of respondents said experience with very large datasets would increase in importance while 66.4% said that communication with non-IT departments and executives would grow in importance. However, when you break down these responses by role within the IT department, there is a clear difference in how IT executives, mid-level managers, and individual contributors (workers who do not manage other employees) view the shortage, how to deal with it, and the skills needed to be effective.
The most popular response among individual contributors (38.1% of respondents) is to increase training for existing IT security workers. Of the three groups, executives were the least likely (23.3%) to say that training existing workers is the best response. For IT executives and mid-level managers, the most popular response is to increase hiring of junior IT professionals and invest in training them. IT executives also take a longer term view; of the three groups they are the most likely to say that increasing collegiate majors in security is the best solution to the shortage, albeit one that will take years to begin taking effect in the workforce. One area of broad agreement: offshoring IT security work overseas is not viewed as an effective solution.
Across roles, there are also key differences in the skills that are predicted to be “much more important” in the next five years. With a shortage of skilled IT professionals presenting the greatest barrier to protecting data, it’s critical that IT professionals focus on the skills that will enable them and their organizations to be successful. Individual contributors were more likely than the other two groups to report that communication with non-IT departments, incident response management, and analysis of large datasets will be significantly more important. On the other hand, IT executives were more likely to say that negotiating with vendors and partners and the ability to write code would significantly increase in importance.
With IT executives less willing to invest in training existing IT workers, it’s clear that to remain relevant IT workers will need to take responsibility for improving their own skills. There are many free resources available for IT professionals to improve their skills and their value to their organization. Salaries for IT workers, particularly those focused on security, with the right skills continue to increase and analyst firm IDC predicts that security will become so important to organizations that by 2018, 75% of chief information security officers (CISOs) will report directly to the CEO instead of the CIO. As they look to hire talent, IT leaders also will need to adopt interview questions that better identify candidates with the potential to be top performers, rather than relying on questions that do not do a good job of predicting job success.