Sustaining Security Talent: A Big Challenge for CISOs

Written by

When talking to CISOs, it’s not uncommon to hear the following complaint: security engineers are hard to come by and they come at a high price tag when they are found. As the demand increases without the supply catching up, the outlook for finding talented security professionals will become even more challenging and expensive.

A recent survey of IT decision makers by the Centre for Strategic and International Studies revealed that 82% of employers claim to have a shortage of cybersecurity skills in their organization and 71% of those say it causes their organizations direct and measurable damage. The same report stated that cybersecurity graduates do not possess the skills needed. Only 23% of employers believed that education fully prepares students to enter the cybersecurity industry, and this only goes for students of security. Graduates with a degree in computer science are very likely to not have completed a single security course.

It’s clear that academia needs to catch up with the growing demand for cybersecurity skills, but what can companies do in the meantime?

Preserve Your Security Talent

To start, it’s important to retain and nurture the security talent you already have by ensuring they can work as efficiently as possible. This means that they shouldn’t be spending time finding obvious mistakes, which could easily be prevented or detected. This is just busy-work. Security professionals should be working with others to find and solve the more difficult problems that they are uniquely qualified for.

Another way of protecting your current security talent is by training your development team in secure coding practices and providing security awareness training to the entire organization. Not only does this free up time for your security engineers, but it helps to grow your internal security talent for the future.

Grow Your Own Security Talent

With cybercrime on the rise and security talent rare, corporations need to be taking the initiative not only to preserve and sustain the talent they have, but to start growing it internally as well. All software engineering employees should receive regular secure coding training and those who have a knack for it and a desire to learn more should be identified and their talents nurtured.

This ensures that those security experts you already have can spend their time on the more important tasks as development will be making less mistakes. As demand grows, talent leaves your company, or eventually retires, you are not left without the expertise needed to keep your organization from being vulnerable to hacks.

The biggest mistake you can make is not starting security training early. If you’re not doing it yet, it’s already too late. However, as they say, it’s better late than never.

Prevention is Key

For many organizations, security training remains an afterthought. It’s something they know they should be doing and would like to be doing, but CISOs still have to fight for the budget and time to implement an effective training strategy. For companies that have not experienced a security incident, or at least aren’t aware that they have, the problem is often out of sight, out of mind. Their developers are busy building their products and tools, they don’t have time to complete regular training programs.

Cybersecurity is no different than any other kind of security. We don’t allow our children to ride a bike without a helmet and we all know to wear a seatbelt. These are simple precautions we take, because we’ve been educated our entire lives on general safety measures. Organizations need to adopt the same mindset towards cybersecurity and secure coding. All employees need to be educated on the potential dangers of being hacked. Software developers need specific training on secure coding practices and how hackers think. If we want to avoid someone breaking into our house, the best way to do that is to try breaking in ourselves and finding out where the weaknesses are. The same goes for software development.

Waiting is Expensive and Unsustainable

With the current environment as it is, it’s irresponsible to wait for more talent to come along, just as it’s dangerous to wait to be hacked before implementing security measures. The prioritization of security in organizations is becoming a competitive differentiator and customers are learning which brands they can trust.

It’s also important not to put all the eggs in one basket. Growing your own security talent takes time and corporate cybersecurity is an immediate issue. At the same time, solely protecting the talent you have is not enough. The demand for security experts will only continue to grow and it’s unsustainable and expensive to rely on those experts, even if your pockets are deep enough for the rising salaries they will inevitably require.

The most effective and cost efficient way for the C-suite to address this growing problem is to start investing in security training programs today.

Brought to you by

What’s hot on Infosecurity Magazine?