Two trends have remained consistent over the last decade within the information security industry.
The first is that security risks have increasingly gained board-level attention in many industries. Whether senior executives are adequately responding to the urgency of the threat and prioritizing information security in their business strategies is, however, still in question.
The second is that the perennial skills shortage of professionals within the industry shows no signs of abating. Recent estimates suggest a global shortfall of about 1.8 million security professionals within five years. ISACA’s State of Cybersecurity 2019 report indicates that the majority of organizations have unfilled cybersecurity positions.
With digital transformation firmly on the agenda for many organizations and cyber-attacks on the rise, business leaders continue to struggle to resource strategic business imperatives with appropriate security skills.
The scarcity, dearth of quality and talent retention of security professionals are some of the challenges often highlighted when resourcing functions such as security architecture, threat and vulnerability management, and incident response.
If Current Approaches Are Not Working, Change Them
With reports that the global skills shortage appears to be getting worse, the industry can continue to wring its hands in frustration or make a concerted effort to do something about it.
While none of the ideas espoused below are particularly groundbreaking, the desired outcomes are achievable if we are willing to challenge existing approaches to skills development, talent hunting and recruitment.
Attract and Retain More women and Minorities
Women remain globally underrepresented in the security industry with studies citing percentages as low as 11% in 2017. The gender disparity and discrimination against minorities in the industry remain hot topics of discussion at many industry conferences such as Infosecurity Europe.
Concluding that diversity programs are always effective at addressing gender imbalance and marginalization of minorities in the workplace is perhaps overstating things. However, rather than dismissing them as ineffective or keeping them going merely to satisfy corporate KPIs, more focus is required.
Rethinking existing initiatives designed to create inclusive workplaces, encourage mentorship and address inequalities in pay and career progression for target groups requires sincerity.
Recruit Non-Traditional Disciplines in Non-Traditional Ways
Specialist information security degrees and partnerships between higher institutions and professional certification organizations such as ISACA and (ISC)2 have offered paths into the industry for many coming from academia.
However, many of those individuals come from STEM backgrounds, where the body of knowledge tends to align closely with the capabilities required to operate in more technical security roles.
This calls for a rethink in the way companies search for security talent. It is worth challenging existing campus recruitment programs by realizing that some of the best talents might not be found within the confines of universities. Mentoring, competitions, hackathons and bug bounty programs are some examples of alternative ways to spot security talent.
In addition to basic technical skills, natural curiosity and a strong aptitude for risk, analysis, investigation and reporting are foundational attributes required to operate in many domains within information security. These are qualities that do not exclusively reside in traditional academic disciplines.
Incentivize Internal Talent
Rather than erosion in the rate of budget expansion, it is predicted that security budgets are likely to continue to increase.
Prioritizing funding for security programs areas is a constant challenge for many CISOs. This unfortunately often results in security education falling lower in the pecking order when faced with competing priorities.
With career stagnation cited by many professionals as one reason for leaving organizations, it is worth rethinking security staff training and personal development strategies. Ring-fencing budget allocation for training also shows leadership’s commitment to retaining the best talent.
Infosec leaders can also do better in identifying staff outside the security function who demonstrate the right level of interest and technical skill and who might be thinking about their next career move.
Rather than losing them to other organizations, internal career events designed to demystify infosec could provide opportunities to attract and retain individuals who may possess invaluable institutional knowledge.
Could Increased Automation Be the Answer?
Perhaps the answer to offsetting skills shortages is to reduce the dependency on humans altogether. Indeed, many organizations already are exploring robotic process automation to streamline and standardize repetitive processes. This trend is set to continue, especially in the area of DevSecOps.
The desired state for many CISOs would be to free up skilled professionals to be more creative and innovative and to focus on optimizing the security function.
The Skills Shortage is a Matter of National Significance
The UK government recognizes that “cybersecurity is central not only to our national security but also fundamental to becoming the world’s best digital economy”. This recognition has led to the rollout of a National Cyber Security Skills Strategy, for which consultations will take place for most of 2019.
Addressing the information security skills shortage requires fresh thinking and stronger collaboration between government, industry and public/private partnerships. Perhaps 2019 will mark the turning point.
