Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

03:50 PM
Connect Directly

How IT Departments Can Manage The Security Skills Shortage

A lack of skilled cybersecurity talent is putting organizations at risk. Which skills are in highest demand, and how can IT managers secure the right people to protect their information?

If you're struggling to hire employees for your cybersecurity team, you're not alone. A security skill shortage is leaving businesses across industries vulnerable to attacks.

As cyberthreats become more complex and dangerous, IT departments are challenged to find employees with the skill sets to discover vulnerabilities and employ sophisticated protective technologies to address them.

The talent shortage affects businesses in several ways; the greatest being the additional risk they must assume. However, without the right skills on board, many organizations are unaware of how vulnerable they are.

"Frankly, without the qualified staff to adequately valuate information assets of a business and develop a reasonable sense of their cyber value at risk, many businesses don't know what they don't know," explains David Shearer, CEO of (ISC)².

As organizations fiercely compete to hire top security practitioners, it's important to be aware of how big the problem is, which skills they need, and how they can compensate for a lack of talent to stay secure.

The Problem Is Severe

Experts agree: the lack of talent is a major problem across the economy.

"There is a severe security skill shortage in businesses," says Owanate Bestman, information security contract consultant at Barclay Simpson. "We see the general economic slowdown hasn't affected job flow at all within security."

The shortfall is widespread but some industries are more affected than others, he says. Financial services companies, for example, have advanced systems to protect sensitive data, but their tools are not fully utilized because employees lack the expertise.

In a 2015 Global Information Security Workforce Study, (ISC)²'s Center for Cyber Safety and Education predicts there will be a shortfall of 1.5 million professionals worldwide by 2020 if the shortfall is not addressed. Less than 6% of the study's 13,930 respondents are under the age of 30, which paints a bleak picture for the future of the industry.

(ISC)²'s Shearer points out that undetected breaches can be attributed to lack of security staff. Poor incident response time and difficulty in recovery can ensue, he says.

Organizations are primarily lacking staff with technical expertise, explains Lee Kushner, president of LJ Kushner and Associates. Businesses can buy tools and technologies and services, but it's harder to find people who can manage them.

"We have gaps in really hard technical skills," says Kushner, who has 20 years of experience recruiting InfoSec professionals. "We need people who would deal with advanced incident response, security operations, security analytics, and be able to understand and correct data that is useful to the organization."

Technical-minded employees are harder to find than those with high-level security knowledge. Many companies already have leaders who can speak in broader terms about security but lack the detailed knowledge of how solutions work and ability to advise and guide the business.

Cloud security skills are in especially high demand, says Bestman. Businesses should be on the hunt for security pros who have previously worked with cloud and can engage with business and IT departments to establish risk and manage processes.

However, before they can mature their cybersecurity strategies, companies must first establish strong service management capabilities.

"Too often, we assume the basics are in place when they're not," says Shearer. "For example, too many organizations still wrestle with automated patch management for servers, desktops, and mobile devices. You have to get the basics working really well and build off of those successes."

Smarter Hiring Practices Needed

So how are businesses handling the skill shortage?

"I don't think they're coping at all with it," says Kushner, noting that technical positions remain unfilled for long periods of time. This often creates retention problems as existing security staff must compensate for the shortfall, which results in longer work hours and heightened stress.

In order to secure top talent, businesses need to improve their hiring strategies. This starts with posting a strong and effective job description.

"A lot of times when people are building job descriptions, they're not thinking about how the prospective candidates are viewing the opportunity," Kushner explains. "When job descriptions aren't written well, they're written in ways where the assumption is the targeted candidate is either not working or dissatisfied."

Compensation is a key factor. Oftentimes companies don't meet expectations when they try to recruit outside talent. Either the job description makes candidates feel underqualified, or compensation doesn't match the level of expertise they hope to gain.

Certifications can be helpful to ensure candidates are qualified, but the best ones vary depending on the role, says Bestman.

Some certifications have stood the test of time; for example, the CISSP and CISM are all highly respected and viewed as staples to mid- and senior-level positions. Specific certifications include the CISA for audit skills and Tigerscheme for penetration testing.

Shearer recommends looking for employees with security experience, which is a strong indicator of their abilities.

"Have they thrown their hat in the ring for the tough assignments? This lets you know the degree to which their resolve has been tested," he says. "Attitude is also very important. People with the attitude that they can learn or do just about anything frequently do just that."

This allows businesses to dive into specific skills, depending on what they need; for example, a pen tester, infrastructure security architect, cloud security lead, or secure software developer.

Working Around The Gap

If your business is still hunting for talent or can't afford to hire a technical security expert, there are steps you can take to improve your security strategy.

"Organizations need a comprehensive cybersecurity plan that includes policies, governance, and operation excellence for cyber, information, software, and infrastructure security," says Shearer.

Given the amount of best practice frameworks available, he recommends businesses adopt and operationalize an existing framework instead of developing their own. Options include IT Service Management (ITSM), COBIT for a complementary governance framework, and the National Institute of Standards and Technology (NIST) Risk Management Framework.

Automated patch management also helps, he says. While it's helpful to aggregate logs and use tools like security information event management (SIEM) technologies, this is only useful if there is sufficient staff to act on their findings.

Bestman advocates educating employees on best security practices.

"Implementing a good security awareness program within an organization is crucial," he emphasizes. "This educates all users, whether they're in business or IT, to ensure security is everyone's responsibility and not just the CISO's."

Organizations hoping to compensate for a talent shortage or small security budget may appoint a security awareness officer to educate key stakeholders and everyday users. This won't prevent every breach, but it creates a culture of awareness and emphasizes how security is everyone's responsibility.

Related Content:


Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Chief Security Officer
Chief Security Officer,
User Rank: Apprentice
9/11/2016 | 9:06:31 PM
Re: If technical skills are in demand, why do we keep pushing non-technical certs?
To create an accessable recrutiment to training program that feeds new talent into the industry you have to target pools of prospects - academia. The industry needs to actively engage academia to identify those students suitable for specialized training. Offering scholarships for their formal university education could help to entice them into areas of critical need in the industry would be a good idea.
User Rank: Apprentice
9/5/2016 | 12:43:04 PM
Security Skills
Very informative read on managing Security skills...


User Rank: Apprentice
9/5/2016 | 12:40:13 PM
If technical skills are in demand, why do we keep pushing non-technical certs?
I love seeing articles like these. I think the industry as whole has way to much emphasis on "High Level Security Skills" and not enough on the skills necessary to create effective operators. 

Along those lines, the CISSP and CISA are not indicators of those skill sets. When I'm looking for talent, the CISSP although not a bad thing to have, is not an indicator of technical skills. That is doubly so for the CISA. The standard in my mind has always been the SANS GIAC certifications. SANS is one of the very few certification tracks that that emphasizes the skills necessary to defend an organization. 

Those of us already in the industry need to work hard at identifying raw talent and finding better ways of building pathways to training. The only way to solve this problem is to create an accessable recrutiment to training program that feeds new talent into the industry. 


Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.