Solving The Security Workforce ShortageTo solve the skills shortage, the industry will need to attract a wider group of people and create an entirely new sort of security professional
Companies looking for more security staff aren't going to find them -- they're going to have to make them.
The good news for security professionals is that security is a growth industry, with plenty of jobs right now. The pay is good and the competition is slim. The bad news is that, in the absence of capable colleagues, security staff are hideously overworked. The job is secure, but only if you can survive it.
In recent years, CISOs have succeeded in getting more boardroom buy-in for security tools and staff. According to (ISC)2's most recent Global Information Security Workforce Study, two-thirds of C-level managers believe their security departments are too small. Employers are interested in expanding their security staff, but they can't find people to fill the positions.
According to the study, the most sought-after quality is a broad knowledge of security -- more of a strategic understanding than technical know-how -- followed by certifications. This is a tricky combination. Individual technical certifications don't provide a broad understanding of security strategy, and CISSP certifications are only given to people who already have five years of experience working as a security professional.
"There really aren't many entry-level positions in security in the same way there are in other industries," says Julie Peeler, head of the (ISC)2 Foundation. "What we really need is people who have experience beyond the one piece of technology. More than just a Cisco server, they need to know how servers work, and how servers link to each other. They need to understand the strategy and engineering behind a server. They don't make those in college."
Peeler says that the entire security industry is moving away from the super-techie with the IT degree.
"Because of the rise of the security analyst -- someone who can take a lot of disparate information and cull the truth out of it -- companies are looking at people with liberal arts backgrounds -- necessarily non-technical backgrounds," says Peeler. "A lot of these analytical skills are hard to teach."
The trouble then is, if the people we want in IT jobs do not have IT backgrounds, how can we coax them to apply?
The first trouble is awareness. As Peeler says, nobody comes to the third-grade class on career day and tells kids what it's like to be a security pro.
"Even when some people are aware of the industry," adds Peeler, "it looks really hard and really complicated, so I think there's a barrier to overcome there. It's not, in fact, rocket science."
Therefore, says Peeler, the security industry needs to do more to connect with children in primary and secondary school, as well as expand partnerships with universities. In addition to providing more mentoring, internships, and apprenticeships, the security industry needs to work with universities to create curricula that are nimble enough to respond to a rapidly changing industry.
In addition to attracting more non-techies, it needs to attract more women. Currently only 11 percent of the security workforce consists of women.
"If we doubled the number of women in security tomorrow, it would eliminate the shortage for a full year," said Peeler. "It's not just a cultural issue. It's an economic issue."
(ISC)2 is in the process of creating a Women in Security initiative to address this problem, and Peeler is doing a session about this at the RSA conference in San Francisco next week.
Although the security skills shortage is a global problem, some countries are having more success than others. Ireland, for example, has a thriving security sector that's adding jobs all the time.
"Ireland's core strength is that you can get people at a reasonable price in a reasonable time frame. There's an availability of talent, because it's a good place to live, so people are willing to relocate," says Stephen Brennan, Board of Directors, AdaptiveMobile, and former VP of Symantec Research Labs.
In addition to being a nice place to live, Ireland is particularly well-suited to drawing American businesses and European workers because it is the only English-speaking country in Europe that uses the Euro and it's located with the time zone that's nearest to the U.S. The European governments have also lowered barriers to entry, making it quick and easy for workers from Eastern Europe to take jobs in Ireland.
Nevertheless, it was a slow process that took years of investment. McAfee and Symantec opened operations in Ireland decades ago, and now there are major security clusters in Dublin and Cork that include a variety of security companies. According to Symantec, the country's security sector employs more than 6,000 people. Symantec, FireEye, McAfee, and Mandiant created more than 700 jobs in Ireland in the last year alone.
If the rest of the world is going to solve its security skills shortage it will need to create similar clusters in other parts of the world.
Have other ideas about how the security community do to attract new talent? Let us know in the comments below. And if you're going to the RSA conference next week, check out the sessions in the Professional Development track.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Sara Peters is contributing editor to Dark Reading and editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other ... View Full Bio