The IoT Security Skills Gap
The IoT Security Skills Gap

It is a well-known fact that IT security (or as it is more commonly known today, “cybersecurity”) suffers from an acute shortage of working hands. Most organizations do not have the manpower to monitor their networks consistently and determine how they are being infiltrated, and some experts estimate there are more than 1 million unfilled security jobs worldwide today -- a number that is expected to grow to 3.5 million by 2020.

More specifically, there's a shortage of cybersecurity operations professionals, also known as analysts. The “laborer” of the cyber class, an analyst oversees the daily operation of cybersecurity systems. This includes checking the update level of security systems, investigating alerts, ingesting intelligence reports, and working alongside IT and risk professionals to ensure the organization is safe. In case of a severe incident, analysts (or incident responders as they are sometimes called) are tasked with investigating and mitigating the attack before it inflicts additional harm on the organization. U.S. businesses employed 82,900 information security analysts in 2014, and this number is expected to grow to nearly 100,000 analysts by 2024, but even today there are many vacant analyst positions, so it is unlikely that staffing will become easier in the future.    

Brother, Can You Spare an IoT Security Analyst?

With nearly two-thirds of organizations planning to deploy IoT solutions in the near future, and given the fact that IoT is a fairly new field without traditional training or academic programs, it is no wonder that more than half of organizations face a skills shortage for IoT-related tasks. It is difficult to ascertain exactly how many IoT security professionals are required, simply because the job title is not defined. But if we assume that the IoT will need analysts just as traditional cybersecurity operations do, we can extrapolate that the shortage will be similar, if not worse.

Compounding the problem, Gartner has identified a severe need for IT security leaders with IoT experience. A lack of IoT-proficient leadership slows the adoption of IoT projects for nearly 40% of organizations.  

Given that there are no IoT security universities and training courses that will start producing qualified analysts and executives in the coming years (and even if there were, these people would lack real-world experience), how can organization overcome this challenge?

 

Overcoming the Gap

The methods I am about to suggest are not new, but taken from the cybersecurity playbook. Organizations have been struggling with these challenges for decades, and have found success with the following tactics:

-        Seek expert advice: If your staff has little or no IoT security expertise, it is crucial that you seek advice outside of your organization. Businesses must learn from industry experts, join industry organizations and employ experienced consultants that can help them define an IoT security roadmap, complete with manpower and training programs.

-        Hire internally: Companies have plenty of talent, but they need to direct it to critical positions. “Hiring” internally is one way to ensure that trusted personnel are being utilized to the best of their talents. By using some creative thinking, companies can find employees with related proficiencies that could be transferred to the IoT security department. For instance, a physical security professional may have a good understanding of the domain and with little help could learn the basics of IT security and perform the role of IoT security analyst or manager.

-        Use managed services: Outsourcing security operations to an MSSP could assist greatly in the initial stages of implementing an IoT security solution until an organic team can be built. Even then, managed security services could still help by performing more elaborate tasks such as incident response and forensic analysis.

-        Utilize automation: Even the best IT security analyst team can get overwhelmed by the sheer volume of security alerts; this is called “alert fatigue” and can result in critical alerts being missed. To mitigate this, cybersecurity vendors have developed an array of automation and orchestration tools. IoT security professionals should demand the same level of automation, to help them cope with the expected onslaught of alerts.

Summary

IoT security follows in the footsteps of IT security and faces similar challenges, but the process is much quicker and at greater scale. As such, organizations implementing IoT security projects should follow the proven methods perfected by the IT security industry, seeking outside advice, hiring internally, using managed services to cope with the manpower gap, and utilizing automation mechanisms to augment existing personnel.