The community of cybersecurity professionals is an energetic, creative, and highly sought-after one. It's also incredibly small, with hiring demands outpacing available supply of professionals. Ask your chief information security officer, chief information officer, or chief security officer if they have all the information security personnel they want, and the answer will be almost always be a universal “No.” In fact, they don't even have the number of individuals they need.
This is, as you know, not a newsflash. The call for more training, education, and career paths has been a regular hymn sung by the information security choir for many years. Tim Wilson of Dark Reading sounded the alarm back in 2012 with, "Security Skills Shortage Creates Opportunities for Enterprises, Professionals." The RAND National Security Research Division highlighted the skills shortage in its June 2014 study, “Hackers Wanted: An Examination of the Cybersecurity Labor Market.” The shortage of personnel with information security skills is the ongoing reality, and with the arrival (and hyper growth) of the Internet of Things, we can expect the shortage to become even more acute. What is a company to do?
Break Down Barriers
The first recommendation is to break down the barriers between the C-suite and security implementation. A July 2014 Ponemon Institute survey of over 4,800 IT and security practitioners asked how often discussions between IT and the C-suite occur. The answer was staggering: one-third never speaks to business management executives unless contacted, and one-quarter noted that conversation occurred roughly once a year.
If the operations side of the house and the support side of the house are not tethered together and moving as one, then, the latter is trying to support the former with inadequate knowledge and resources. You will get something as a result, but will it be what you desired?
Recruit, Recruit, Recruit
The second recommendation is to get out there and recruit from the pipeline of new employees entering the job market. Recruit at the grassroots level by creating programs that teach cybersecurity and information security skills at the secondary, vocational, college, and university levels. If the security industry invested in the educational programs required to satisfy the needs of the future, then the overall population of available recruits would increase. With unemployment around the world at record highs, opportunity abounds if the right education is available.
The third recommendation is to look inside your own organization. Does your company have a clear career path defined for cybersecurity professionals? If an individual with core IT skills wished to specialize in security or gain additional knowledge , can your company accommodate that shift? It should, because not only does this increase the skill set of existing employees, but investing in employee retention will guarantee that more is brought to the collective table.
The shortage of skilled IT security professionals is a reality. Building your own pipeline of talent is to be a viable strategy to solve the personnel shortage.