Study finds Infosec skill gap bigger than expected - businesses must act now to succeed in 2020

The Industrial Revolution has been heralded as a period of great global transformation; radically changing the world economy and which influenced nearly every aspect of daily life. We believe the Digital Age represents an era considerably more influential and unlike anything seen in the history of mankind.

New business models have emerged (Uber, Alibaba, Airbnb), whilst iconic household names like Encyclopaedia Britannica, and Kodak have fallen by the wayside because of their inability to respond to the Digital Age.

In the Digital Age, “assets” – which were traditionally physical and tangible in the industrial revolution – have been replaced with digital manifestations, which are often both abstract and intangible. “Information Security” has now taken centre stage because of the diverse threats and global ‘actors’ seeking ways to exploit and monetise the value of digital assets.


In late 2014 and early 2015 TrustedImpact, an information security consultancy, interviewed thirty (30) influential thought-leaders in the Australian technology, security and risk industries with the aim of gathering intelligence on the emerging trends in the security landscape leading up to 2020. In particular, TrustedImpact wanted to understand how these trends would influence the types of skills and roles needed to operate the information security team of 2020.


Our own reflections on the conclusions below were clear that it is a ‘leadership challenge’.

The five (5) main conclusions evident from the synthesis of the survey input and results are:

1: There are significant changes and trends reshaping the information security industry at a rapid pace.

Surviving in a fast-changing environment: The Leaders we surveyed overwhelmingly agreed that the industry is in a period of significant change. On one hand, many saw challenges managing the fast moving ‘EXTERNAL threats’ such as organised crime and ‘hacktavists’. On the other hand, they also found themselves faced with the need to engage INTERNAL stakeholders to raise awareness and minimise the impact of ‘clickjacking’ and other employee-related security issues.

With the prevalence of third parties, outsourcing, and “the cloud” the traditional approach to ‘protect the perimeter’ has become difficult, at best (and at worst, obsolete) when a majority of an organisation’s data resides outside of traditional company walls.

Read more: 3 steps to total compromise – why Google’s 86,000 indexed printers should have your IT team jumping.

2: The role of the “Chief Information Security Officer” (or equivalent) is changing.

The CISO as a marketer and leader: The role will become less focused on technology and security tools, and more focused on marketing. The main challenge in this role is to engage the “hearts and minds” of the organisation so they are more empowered to become the protectors of the business’s and sensitive data. The role is becoming an overall business leadership role.

3: For the security team to be effective in 2020, the composition of skills and roles will change and must become more engaged with their businesses.

The successful security team of 2020 must become more “well rounded”: Communication, negotiation, analytical and business engagement skills were all, on average, identified as large gaps leading up to 2020. We believe the shift towards ‘softer’ people skills is consistent with the industry trends around business engagement and the use of third parties for a majority of a company’s IT systems. In these circumstances, skills such as negotiation and communication will be become more important to protect the company’s sensitive data.

Security roles – less island mentality, more eco-system interconnected: In 2020, information security will no longer work effectively as just an “island” function residing somewhere in the organisation. Instead, it will become an interconnected matrix of roles working collaboratively and cohesively across departments and third parties to adequately protect the organisation’s information.

4: Overall ‘demand’ for security personnel will outstrip ‘supply’, however, what’s MORE important is the mix and composition of skills.

The Gap – bigger than anticipated: A wealth of industry data (in addition to input from our Leaders), see the overall ‘demand’ for information security personnel far outstripping today’s ‘supply’ or existing labour pool. It is recognised that this gap is (an will continue to be significant). HOWEVER, because the skills and rolls are changing at the same time, this gap will be even larger than anticipated.

5: Success in 2020 requires businesses to prepare TODAY to keep ahead of these trends and change the composition of skills and roles.

The future is here today: Organisations looking to succeed in the Digital Age will need a security capability that is responsive to the fast moving industry trends. But significant shifts in skills are also needed to align with these trends.

The strategy that an organisation takes depends on its culture and desire to ‘build versus buy’. For example, some will choose to build a talented security team by investing in people development. On the other hand, some organisations will look to develop strategic partnerships with specialist firms to either specialised contractor resources, in/outsource certain information security capability or functions, if even the entire information security function.

There is no one ‘right’ approach. However the LACK of a concerted approach, or clear strategy is what will be the demise of an organisation if it waits until 2020 to respond.

If you wish to read the report, you can obtain it here

Join the CSO newsletter!

Error: Please check your email address.

Tags chief information security officerdigital ageAirbnbindustrial revolutionCISOalibabakodakworld economyBritannicaUberTrustedImpactinformation securitysecurity team

More about BritannicaKodakUber

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ruth Rozario

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts