Do SMB staffing needs count?
There’s been no shortage of articles about the shortage of IT security expertise. This issue didn’t appear overnight. It started to get real attention after a report by CISCO estimated one million unfilled positions globally back in 2014. Current estimates cite the figure of 200+k vacancies in the U.S.A alone. Forecasts estimate these figures will continue to grow steadily for at last the next 5 years.
I’m not sure these forecasts include staffing needs for SMBs though? Do these forecasts mostly represent enterprise and government needs? Whatever hardships the enterprise and governments have from an ITsec staff shortage, it’s even worse for SMBs. You know, that segment of business that drives about 90% or more of the economy, and employment.
Things are even worse for small defenders!
It’s not that the need isn’t there. SMBs are being attacked too. The article, “A daunting cyber challenge” provides this overview:
- “American small businesses are under cyberattack like never before,” said House Small Business Committee Chairman Steve Chabot, R-Ohio. “Small businesses employ about half of the private sector workforce and generate 54 percent of annual sales in our economy.”
- “While cyber security failures of large companies and agencies dominate news cycles … 71 percent of cyber-attacks are aimed at businesses with fewer than 100 employees, according to a report by the Select Small Business Committee.”
- “Smaller businesses are actually targeted as much as large companies, and the results are often catastrophic, with average financial losses exceeding $3,600, and the subsequent loss of customers and trust leading many to bankruptcy. Lack of technological expertise has long been a concern for these business people, but now they are also facing dramatic cost increases in hiring such experts.”
- “Business owners with limited time, training or budget for expert assistance require a new breed of simple, cost-effective tools…“
I’ll touch on that last point more in a follow-up to this post. To continue on about SMB hardships, consider the following points.
In a research paper, “Sizing the Cyber Skills Gap: A White Paper by Stephen Cobb, CISS“ the author reports that,
“A 2016 Spiceworks study found that 59% of businesses with fewer than 500 employees had no access to a security expert (not internally, nor externally via third-party contractor or managed security provider)…”
The article, “Only 29% of organisations have a cyber-security expert in their IT dept” also cites research by Spiceworks,
“Spiceworks polled more than 600 IT professionals in the UK and US to see if they’re adequately countering the rapidly growing levels of cyber-attacks. It was found that 29 percent of organisations have a cyber-security expert working in the IT department, and only seven percent have an expert in another department or on the executive team.”
That does seem pretty low, and we don’t know how many of the organizations with an expert still require more staff. My guess is that they would take ’em if they could get ’em.
SMB Cyber $kill$ $hortage$ – Affordability
With any shortage of a commodity, it becomes a seller’s market. Prices go up. Those with skills and experience will expect top dollar. Some suggest that some of vacancies exist because enterprise employers refuse to pay the new going rate. In Ottawa where I’m from, there’s a very good college program. The Director has been an ethical (white hat) hacker for 18 years. He told me all of his finishing students had received job offers before graduation, at starting average salaries beyond what SMBs could probably afford. Many small companies can’t even afford a full-time IT person. Skilled security staffers are definitely a luxury.
Since many SMBs don’t think they are targets, they’re not out seeking expensive staff, even if cost wasn’t a factor. There’s more awareness now, but maybe a small business only needs a part-time security person. Would that be included in the vacancy count? Have they ever been? Or, are they like unemployment stats after large numbers of people have given up and stopped looking for work,- skewed downward so the numbers are not fully representative of the complete picture? Are those fractional staffer needs aggregated in the needs of MSSPs who will aim to provides services to SMBs? Maybe.
On top of basic cyber security, SMBs will increasingly have to cope with new compliance regimens, as do larger entities. For example, for SMB defense contractors, DFARS compliance ramping up more this month, is now a cost of doing business with DoD. But for SMBs, coping with any compliance regimen without needed security expertise adds to the overall burden and stress. DFARS is a demanding compliance regimen for ANY business. Trustifier recognizes this and will be announcing a helpful DFARS compliance solution for SMBs in the immediate future.
What’s a small defender to do?
Many of these issues were discussed in a six part series – Time to help the little guys. The series is to inform SMBs that many of them are underestimating the cyber security risks to their business. Part 1 also suggests that the infosec industry needs to do more to help small defenders who can’t afford enterprise offerings, or a large security team. By helping the little guys, we help ourselves, right? Especially when many SMBs are business partners and part of the supply chain, to so many others in an inter-connected world.
Mitigating the Cybersecurity Skills Shortage (CISCO pdf)