You only have to look at recent headlines to confirm that cybersecurity is a critical concern thattouches every industry and every individual, and threats are only continuing to increase.
Yet in arecent study conducted by ISACA and RSA , 52 percent of global cybersecurity and IT managers andpractitioners said “that less than a quarter of applicants for cybersecurity positions have the necessaryskills for the open position. As a result, 53 percent said it can take three to six months just to find aqualified candidate.” Then it takes another three to get them on board. This is a pressing issue withinthis field of work that needs to be addressed. So how did this shortage or “talent gap” happen in thefirst place?
When the information security industry first began to be a focus area, three decades ago (when Ientered the IT/Security world!), enterprises did not anticipate the incredible advancements intechnology, the rapid increase in advanced cyber attacks and the constant need to protect sensitivedata. The major advancements of technology alone from mobile applications to cloud to the internetof things has shined a spotlight on both the security vulnerabilities these technologies present, andthe lack of cybersecurity professionals who know how to fix them.[ ALSO ON CSO: CSO burnout biggest factor in infosec talent shortage ]
But instead of making a concerted effort to attract andretain cyber talent, many organizations tookan alternative route of outsourcing their security teams. As breaches continue to increase in bothfrequency and sophistication, enterprises have had to make a switch to hiring an internal team ofdedicated info security professionals, which are tough to find and hard to keep. This shift in approachtowards internal enterprise security created an immediate need to seek out and train qualifiedsecurity professionals. Over the years, this need for qualified and skilled security professionals hasgrown faster than the workforce available to fill the jobs, leading to this major gap.
Despite the growing breadth/depth of security threats in the everyday organization, it is typical to findan unstructured security team that is not providing professional growth or continued educationopportunities. Furthermore, the few professionals who are qualified are spread too thin andtend toburn out quickly. This has also had a profound impact on the security industry, which is now seeing 1million unfilled cybersecurity jobs in 2016 alone , and that number is expected to increase to 6 millionglobal job openings by 2019.
While the task of closing this gap seems daunting, it is important for enterprises to shift their focus totheir internal teams to cultivate the talent that already exists within their organizations, even if it’sminimal to start. They need to provide an environment that encourages career growth and constanttraining to ensure security professionals are armed with the knowledge and skills to defend theirorganizations. If this becomes the practiced behavior, it is my belief that the skills gap will start toclose.
To do this you must understand what skills you already have and then determine what you needwithin your security team when hiring. There is a range of talent that is required to keep an enterprisesecure so you must know your must haves when doing so. In addition, it’s important to understandthe soft-skills needed which include creative problem-solving, the ability to foster collaboration and adrive to challenge conventional thinking to stay ahead of hackers. It is no longer easy to find that100-percent candidate or even the 80/20 rule doesn’t work any more! You have to accept, at times, youmay have to hire the must have(s) and train the rest maybe a 50/50 rule?
Only once you get a good understanding of what you need, you need to make sure you are finding theright people and making a concerted effort to retain the talent within your organization. Though thisis a long-term process, which requires continued effort, below are some quick tips to point you in theright direction:1. Working with elementary/high school/colleges/universities
Cultivating talent early on is the most effective strategy to address the growing talentshortage. Work with schools/students to provide insight into the cybersecurity industry bysupporting training and education initiatives that will arm young professionals with theskillsets necessary for success. This includes adding internships to your hiring practices!2. Fostering an environment of continuous cyber education
Since threats are constantly evolving and technology is advancing more rapidly than ever,continued education is necessary to keep skills sharp. It’s essential that organizations providein-house and ongoing security trainings and certification courses that will give securityprofessionals a leg up on hackers for everyone enterprise wide.3. Offering security teams meaningful employment
Retain the talent within your organization by ensuring that employees feel their employmentis meaningful. By offering opportunities for professional guidance and mentorship, you’llcreate a supportive environment, leading to higher employee satisfaction and reducedturnover rates. Give them the opportunity to learn and empower them to be the best thatthey can be.
If we want to address the cyber talent shortage, we need to tackle the issue head on. By making aconcerted effort to cultivate talent, encourage continued education and create a supportiveworkplace environment, we can strengthen the security industry and help build the workforce tothwart cyber attackers.
I love what I do, do you?
This article is published as part of the IDG Contributor Network.Want to Join?