The Security Skills Gap is More Like a Chasm
And it’s not narrowing, which is both a headwind and tailwind for MSPs and security vendors. Plus: There’s a vCISO gap too and Augmentt has an MFA management tool.
Earlier this week, recruitment firm Pinpoint Search Group reported there were 86 security vendor funding and M&A transactions worth $2.15 billion during Q3. That’s way down from the roughly $4 billion worth of deals recorded in the peak quarter of Q4 2021, but roughly in line with the norm since mid-2022.
Interestingly, 59% of all venture capital investments in the quarter went to seed and Series A startups, suggesting a tilt in the direction of early-stage innovators. One wonders, based on ISC2’s latest Cybersecurity Workforce Study, where those early-stage innovators will find the employees they need to reach growth stage.
Published last month, the study revealed that the gap between the number of security professionals the world needs to keep everything safe and the number it has now stands at 4.8 million, a big number that looks even bigger when you consider that the total global population of security professionals presently stands at 5.5 million. Here in the U.S. alone, there are currently over 457,000 security job openings, according to CompTIA’s Cyberseek tool, versus a total security workforce just north of 1.25 million.
Worse yet, none of this is getting better. Indeed, while the skills gap has closed a little in recent years, according to ISC2, it’s actually grown 19% since 2023.
Hard to know why exactly, but economic jitters are probably a contributing factor. 37% of the organizations ISC2 surveyed said they’re experiencing budget cuts, up 7% from the year prior.
“We’re starting to see a little bit of stagnation on investment curves, probably driven by geopolitics to a certain degree,” says Jon France (pictured), ISC2’s CISO. “A little bit of uncertainty in the world tends to force businesses to be a little more conservative in their investment choices.”
As security threats grow in variety and complexity, moreover, the knowledge required to protect businesses grows more specialized, and therefore harder to find. “If I had 100 candidates now, only 40 of them might be qualified to do the job because the skills I’m looking to bring into an organization aren’t present,” France says.
The same issue makes attracting newcomers to the field harder as well. “For a candidate that’s considering an entry point directly into cybersecurity, it will take more training, more preparation, more skill building, maybe more expertise than if they were just getting into an IT help desk,” says Seth Robinson, CompTIA’s vice president of industry research.
Handing harder challenges to fewer people, meanwhile, isn’t a recipe for job satisfaction, as reflected in data from security professional organization ISACA earlier this month showing that two-thirds of security professionals call themselves stressed.
“We’re being asked to do more with less budget today, but the threat’s growing,” France observes.
And then there are perennial issues like the mismatch between how much experience employers believe they need and how much they actually need. “Companies think they want to go out and just hire five-to-10-year, mid-career professionals,” Robinson says.
The lack of a defined roadmap for entering the field has long made recruiting people into the profession even tougher, France adds. People who’ve never held a stethoscope know exactly what’s required to become a doctor. Less so with becoming a security expert.
“Pathways into the profession haven’t been super clear from education through to entry level through to mid-grade and to senior grade,” France says.
All of this might be an academic concern if not for the fact that SMBs in particular are dangerously ill-equipped to stave off multiplying threats. Something like 95% of them have the equivalent of less than half a person working on security, France says, citing data from last year’s Cybersecurity Workforce Study. Per new data from Sophos, meanwhile, a third of SMBs have no one monitoring and investigating security alerts. This at a time when 76% of SMBs have experienced a ransomware attack in the last year, according to research from OpenText Cybersecurity last week.
France has some suggestions for rectifying the problem. For starters, businesses could stop insisting that everyone who applies for an open position have a CISSP. “If budget is a constraint and you’ve only got limited spend, of course you’re going to want to recruit the most effective person that you can,” says France sympathetically. But that’s a little like recruiting for unicorns.
“Unicorns are expensive and they’re fairly rare,” France observes. “Why not hire a bunch of horses? Maybe one or two of them will grow a horn over time.”
The “over time” part of that advice is key, too. “You can’t just put an entry-level person on incident management and say, ‘have at it,’ and then come back in six months and expect them to be at the next level,” France says. “Once you’ve started to attract entry-level people, there’s a quid pro quo of you train them both formally and informally, and they pay off.”
But let’s get real…
There’s only so much progress the industry can make toward closing a skills gap 4.8 million people wide. So what can vendors, MSPs, and end users do?
Everyone’s first and favorite answer, natch, is AI, and France thinks it’s a good one. “Some people say it’s going to eat the world,” he says. “I’ll be one to say it’s going to save the world for security practitioners.”
More specifically, AI is well suited to alerting security analysts about hidden patterns in massive pools of threat data. “The decision on what to do is still human, but it can say, ‘look, there’s an anomaly here. You might want to go and have a look,’” France explains.
Already, in fact, 64% of IT and security professionals globally see AI as a critical security tool and 45% in the U.S. say AI solutions for network and cloud security are their top investment priorities for the coming year, according to recent data from GetApp.
Vendors are similarly excited, as SentinelOne can tell you, not to mention investors, as Abnormal Security, Cyera, and Operant AI among others will affirm.
Robinson too sees promise in AI-powered security. “There is potential there, if those solutions are implemented well, to help companies do more with less or do more with the same number of resources,” he says. Just the same, he continues, most organizations are still going to wind up needing resources they don’t currently have.
“A piece that vendors should be considering is the larger picture and the skills that will be needed to even use these tools that have automation or AI built into them,” Robinson (pictured) says. “It’s not just going to be set it and forget it with these things.”
And for that very reason, the same skills shortage likely to be a headwind for MSPs and MSSPs will probably be a tailwind too, as businesses large enough to have in-house IT departments struggle to fill open security positions.
“I often talk about capacity and capability,” France says. “Sometimes you’re recruiting for capacity, sometimes it’s for capability. The managed service providers are good at capability supply. So where you don’t need to retain capability inside but you need access to it, they’re the ones I would go to.”
And who will MSPs, in turn, go to? MDR vendors are a good bet. 81% of them are using an MDR service already, according to that new report from Sophos, and Canalys expects MDR spending to soar 50% this year to $9 billion.
France, for his part, has one last decidedly radical suggestion for closing the security skills gap. “Let’s not introduce so many problems in the first place,” he says, citing CISA’s Secure By Design initiative as a good first step in that direction. “It’s not only more professionals, please. It’s also less vulnerabilities.”
There’s a vCISO gap too
Every business needs a CISO. Relatively few, in the SMB space anyway, can find or afford one. As a result, the skills gap benefitting MSPs, MSSPs, and MDR vendors in a perverse and unfortunate way portends good things for providers of virtual CISO services too.
MSPs are apparently well aware. Some 39% of them will have a vCISO offering by the end of the year and another 59% will have one at some point in the future, according to research that vCISO automation vendor Cynomi (who you’ve read about here before) conducted over the summer. That leaves just 2% of the MSP world neither serving as vCISO or planning to.
That statistic suggests there may be another yawning gap out there beyond the one involving skills: knowing what a virtual CISO is.
“There’s definitely a misalignment in what we call vCISO and what those services actually do,” says Tim Coach (pictured), who recently became Cynomi’s global channel chief. “It takes a lot to be a CISO.” Way more than the average MSP can fairly be expected to know, per something I wrote for Channel Futures earlier this year.
On the other hand, the job sure pays well. 34% of respondents to Cynomi’s study who are vCISOs today say offering that service has increased their revenue (by 20% or more in the overwhelming majority of cases) and 37% say it’s increased margins (again by 20% or more most of the time).
And those are just the financial rewards. 44% of present-day vCISO providers report increased client engagement, a fact that doesn’t surprise Coach. “MSPs have said for years, ‘we want a seat at the table. We want to be a trusted partner,’” he notes. Quarterly business reviews focused on how many tickets you’ve closed and what hardware needs refreshing won’t get you there.
“What gets you there is strategic thinking for your clients to know where they’re taking their business so you can say that at every step of the way you’re going to be secure because we’re offering the service to help you,” Coach notes.
Helping MSPs without vCISO-grade security experience collect benefits like that is the opening Cynomi aims to fill. Its platform automatically scans client environments for vulnerabilities, prepares the in-depth questionnaires professional CISOs use to complete the assessment process, automatically generates NIST-based security policies, generates remediation plans, and helps MSPs implement them.
All good, but not enough to turn users with average security skills into true CISOs, as Cynomi itself is quick to say. Just as AI assists security professionals but doesn’t replace them, so too does Cynomi’s solution reduce the know-how needed to be a vCISO without eliminating it.
“I will always say the humans need to check it,” says Coach of the Cynomi platform’s output.
Which brings us all the way back to the skills shortage. How is an MSP supposed to find qualified CISOs or afford the $200,000 and up they typically make? Cynomi’s answer is to partner with a fractional CISO listed on the directory it rolled out in August instead, while training someone in-house to fill that role in the future.
“We’ve given them so much time back in their life that they’re now able to focus strategically on what they want to do,” Coach says. “That helps people graduate out of those lower-level positions.”
Still not cheap, of course, but a whole lot cheaper.
Augmentt adds MFA for MSPs
They were so stealthy about it you could easily have missed it, but SaaS management vendor Augmentt introduced an MFA tool this week. The new system lets MSPs create policies for multiple clients in Microsoft Entra MFA, enforce them, and report on MFA status through a single interface.
“Microsoft gives you lots of tools to do it one tenant at a time,” notes Augmentt CEO Derik Belair (pictured), “but it’s not easy.”
The new offering is the latest in a string of security-related enhancements to the Augmentt platform this year. The company introduced automated alert remediation early in June, for example, introduced an outsourced M365 security service two months later, and shipped a new security policy management tool and 100-point security audit a few weeks after that.
It's no coincidence that security has dominated Augmentt’s roadmap lately either. According to Belair, SaaS management and SaaS security management are increasingly one and the same.
“All roads lead to security,” he says. “Whether you’re looking at backup or management or configuration, at the end of the day you’re doing all of that for security reasons.”
ConnectWise apparently agrees. It had little to say about help desk automation and Microsoft Teams configuration a few weeks ago when announcing it had bought SaaS management vendor SkyKick, but a lot to say about the vendor’s backup and security capabilities. Belair calls that reassuring.
“What I find very positive is the fact that every RMM and PSA vendor is out there saying that Microsoft security is critical,” he remarks. “The worst thing for a vendor is when you’re the only one beating the drum and nobody else cares.”
It can’t be entirely positive for a smaller vendor like Augmentt that companies the size of ConnectWise are moving into SaaS security, though, can it?
“If we were solving a very narrow, very niche problem, I would feel a little bit more concerned that you can get most of the functionality somewhere else,” Belair says. “We feel that this is a very big, very broad problem.”
A very broad problem that Augmentt is lately addressing, he adds, in a more targeted way. “We started our lives at Augmentt with a very wide lens on SaaS and all products that are SaaS-enabled,” Belair says. These days, the company’s pretty much all-in on Microsoft’s SaaS portfolio, mostly because its partners are too.
“Microsoft security’s at the center of the universe for most MSPs and their customers,” Belair notes. “That’s what the MSPs are telling us they want to fix immediately.”
Also worth noting
SentinelOne announced a bevy of AI-powered upgrades and an expanded alliance with AWS.
SuperOps is integrating with ESET for endpoint security.
TeamViewer is integrating with Malwarebytes for endpoint security.
Evo Security has updated its MFA solution, SSO tool, mobile apps, and admin portal.
Field Effect has a new SMB-focused, MSP-friendly MDR solution.
Pax8 has added ConnectWise MDR, Commvault, and Red Sift to its MSP marketplace.
Google has rolled out four new generative AI learning paths.
Vultr has launched its first of what I’m guessing will be many cloud infrastructure offerings for the hottest new hotness in artificial intelligence, agentic AI.
Bitdefender has introduced a tool called “Scam Copilot” to help consumers avoid, as opposed to generate, scams.
Arcserve UDP 10 combines backup, replication, high availability, ransomware detection, dedup, compression, and integrations with major cloud providers in one big package.
Tenable is the latest (but far from first) vendor to appreciate the growing need for data security posture management.
SiteLock 2.0 from Sectigo aims to simplify website security management for SMBs.
Cato Networks has added digital experience monitoring to its ever-expanding SASE platform.
Justin Gilbert, formerly of OpenText and Channel Program, is the new channel sales director for the Americas at Object First.
James Scobey is the new CISO at Keeper Security.