Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

9/1/2016
03:50 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

How IT Departments Can Manage The Security Skills Shortage

A lack of skilled cybersecurity talent is putting organizations at risk. Which skills are in highest demand, and how can IT managers secure the right people to protect their information?

If you're struggling to hire employees for your cybersecurity team, you're not alone. A security skill shortage is leaving businesses across industries vulnerable to attacks.

As cyberthreats become more complex and dangerous, IT departments are challenged to find employees with the skill sets to discover vulnerabilities and employ sophisticated protective technologies to address them.

The talent shortage affects businesses in several ways; the greatest being the additional risk they must assume. However, without the right skills on board, many organizations are unaware of how vulnerable they are.

"Frankly, without the qualified staff to adequately valuate information assets of a business and develop a reasonable sense of their cyber value at risk, many businesses don't know what they don't know," explains David Shearer, CEO of (ISC)².

As organizations fiercely compete to hire top security practitioners, it's important to be aware of how big the problem is, which skills they need, and how they can compensate for a lack of talent to stay secure.

The Problem Is Severe

Experts agree: the lack of talent is a major problem across the economy.

"There is a severe security skill shortage in businesses," says Owanate Bestman, information security contract consultant at Barclay Simpson. "We see the general economic slowdown hasn't affected job flow at all within security."

The shortfall is widespread but some industries are more affected than others, he says. Financial services companies, for example, have advanced systems to protect sensitive data, but their tools are not fully utilized because employees lack the expertise.

In a 2015 Global Information Security Workforce Study, (ISC)²'s Center for Cyber Safety and Education predicts there will be a shortfall of 1.5 million professionals worldwide by 2020 if the shortfall is not addressed. Less than 6% of the study's 13,930 respondents are under the age of 30, which paints a bleak picture for the future of the industry.

(ISC)²'s Shearer points out that undetected breaches can be attributed to lack of security staff. Poor incident response time and difficulty in recovery can ensue, he says.

Organizations are primarily lacking staff with technical expertise, explains Lee Kushner, president of LJ Kushner and Associates. Businesses can buy tools and technologies and services, but it's harder to find people who can manage them.

"We have gaps in really hard technical skills," says Kushner, who has 20 years of experience recruiting InfoSec professionals. "We need people who would deal with advanced incident response, security operations, security analytics, and be able to understand and correct data that is useful to the organization."

Technical-minded employees are harder to find than those with high-level security knowledge. Many companies already have leaders who can speak in broader terms about security but lack the detailed knowledge of how solutions work and ability to advise and guide the business.

Cloud security skills are in especially high demand, says Bestman. Businesses should be on the hunt for security pros who have previously worked with cloud and can engage with business and IT departments to establish risk and manage processes.

However, before they can mature their cybersecurity strategies, companies must first establish strong service management capabilities.

"Too often, we assume the basics are in place when they're not," says Shearer. "For example, too many organizations still wrestle with automated patch management for servers, desktops, and mobile devices. You have to get the basics working really well and build off of those successes."

Smarter Hiring Practices Needed

So how are businesses handling the skill shortage?

"I don't think they're coping at all with it," says Kushner, noting that technical positions remain unfilled for long periods of time. This often creates retention problems as existing security staff must compensate for the shortfall, which results in longer work hours and heightened stress.

In order to secure top talent, businesses need to improve their hiring strategies. This starts with posting a strong and effective job description.

"A lot of times when people are building job descriptions, they're not thinking about how the prospective candidates are viewing the opportunity," Kushner explains. "When job descriptions aren't written well, they're written in ways where the assumption is the targeted candidate is either not working or dissatisfied."

Compensation is a key factor. Oftentimes companies don't meet expectations when they try to recruit outside talent. Either the job description makes candidates feel underqualified, or compensation doesn't match the level of expertise they hope to gain.

Certifications can be helpful to ensure candidates are qualified, but the best ones vary depending on the role, says Bestman.

Some certifications have stood the test of time; for example, the CISSP and CISM are all highly respected and viewed as staples to mid- and senior-level positions. Specific certifications include the CISA for audit skills and Tigerscheme for penetration testing.

Shearer recommends looking for employees with security experience, which is a strong indicator of their abilities.

"Have they thrown their hat in the ring for the tough assignments? This lets you know the degree to which their resolve has been tested," he says. "Attitude is also very important. People with the attitude that they can learn or do just about anything frequently do just that."

This allows businesses to dive into specific skills, depending on what they need; for example, a pen tester, infrastructure security architect, cloud security lead, or secure software developer.

Working Around The Gap

If your business is still hunting for talent or can't afford to hire a technical security expert, there are steps you can take to improve your security strategy.

"Organizations need a comprehensive cybersecurity plan that includes policies, governance, and operation excellence for cyber, information, software, and infrastructure security," says Shearer.

Given the amount of best practice frameworks available, he recommends businesses adopt and operationalize an existing framework instead of developing their own. Options include IT Service Management (ITSM), COBIT for a complementary governance framework, and the National Institute of Standards and Technology (NIST) Risk Management Framework.

Automated patch management also helps, he says. While it's helpful to aggregate logs and use tools like security information event management (SIEM) technologies, this is only useful if there is sufficient staff to act on their findings.

Bestman advocates educating employees on best security practices.

"Implementing a good security awareness program within an organization is crucial," he emphasizes. "This educates all users, whether they're in business or IT, to ensure security is everyone's responsibility and not just the CISO's."

Organizations hoping to compensate for a talent shortage or small security budget may appoint a security awareness officer to educate key stakeholders and everyday users. This won't prevent every breach, but it creates a culture of awareness and emphasizes how security is everyone's responsibility.

Related Content:

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Chief Security Officer
100%
0%
Chief Security Officer,
User Rank: Apprentice
9/11/2016 | 9:06:31 PM
Re: If technical skills are in demand, why do we keep pushing non-technical certs?
To create an accessable recrutiment to training program that feeds new talent into the industry you have to target pools of prospects - academia. The industry needs to actively engage academia to identify those students suitable for specialized training. Offering scholarships for their formal university education could help to entice them into areas of critical need in the industry would be a good idea.
Wings2i
50%
50%
Wings2i,
User Rank: Apprentice
9/5/2016 | 12:43:04 PM
Security Skills
Very informative read on managing Security skills...

 

www.wings2i.com
KevinJ624
100%
0%
KevinJ624,
User Rank: Apprentice
9/5/2016 | 12:40:13 PM
If technical skills are in demand, why do we keep pushing non-technical certs?
I love seeing articles like these. I think the industry as whole has way to much emphasis on "High Level Security Skills" and not enough on the skills necessary to create effective operators. 

Along those lines, the CISSP and CISA are not indicators of those skill sets. When I'm looking for talent, the CISSP although not a bad thing to have, is not an indicator of technical skills. That is doubly so for the CISA. The standard in my mind has always been the SANS GIAC certifications. SANS is one of the very few certification tracks that that emphasizes the skills necessary to defend an organization. 

Those of us already in the industry need to work hard at identifying raw talent and finding better ways of building pathways to training. The only way to solve this problem is to create an accessable recrutiment to training program that feeds new talent into the industry. 

 

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/27/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11059
PUBLISHED: 2020-05-27
In AEgir greater than or equal to 21.7.0 and less than 21.10.1, aegir publish and aegir build may leak secrets from environment variables in the browser bundle published to npm. This has been fixed in 21.10.1.
CVE-2020-10936
PUBLISHED: 2020-05-27
Sympa before 6.2.56 allows privilege escalation.
CVE-2020-6774
PUBLISHED: 2020-05-27
Improper Access Control in the Kiosk Mode functionality of Bosch Recording Station allows a local unauthenticated attacker to escape from the Kiosk Mode and access the underlying operating system.
CVE-2020-13633
PUBLISHED: 2020-05-27
Fork before 5.8.3 allows XSS via navigation_title or title.
CVE-2020-10945
PUBLISHED: 2020-05-27
Centreon before 19.10.7 exposes Session IDs in server responses.