Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

03:50 PM
Connect Directly

How IT Departments Can Manage The Security Skills Shortage

A lack of skilled cybersecurity talent is putting organizations at risk. Which skills are in highest demand, and how can IT managers secure the right people to protect their information?

If you're struggling to hire employees for your cybersecurity team, you're not alone. A security skill shortage is leaving businesses across industries vulnerable to attacks.

As cyberthreats become more complex and dangerous, IT departments are challenged to find employees with the skill sets to discover vulnerabilities and employ sophisticated protective technologies to address them.

The talent shortage affects businesses in several ways; the greatest being the additional risk they must assume. However, without the right skills on board, many organizations are unaware of how vulnerable they are.

"Frankly, without the qualified staff to adequately valuate information assets of a business and develop a reasonable sense of their cyber value at risk, many businesses don't know what they don't know," explains David Shearer, CEO of (ISC)².

As organizations fiercely compete to hire top security practitioners, it's important to be aware of how big the problem is, which skills they need, and how they can compensate for a lack of talent to stay secure.

The Problem Is Severe

Experts agree: the lack of talent is a major problem across the economy.

"There is a severe security skill shortage in businesses," says Owanate Bestman, information security contract consultant at Barclay Simpson. "We see the general economic slowdown hasn't affected job flow at all within security."

The shortfall is widespread but some industries are more affected than others, he says. Financial services companies, for example, have advanced systems to protect sensitive data, but their tools are not fully utilized because employees lack the expertise.

In a 2015 Global Information Security Workforce Study, (ISC)²'s Center for Cyber Safety and Education predicts there will be a shortfall of 1.5 million professionals worldwide by 2020 if the shortfall is not addressed. Less than 6% of the study's 13,930 respondents are under the age of 30, which paints a bleak picture for the future of the industry.

(ISC)²'s Shearer points out that undetected breaches can be attributed to lack of security staff. Poor incident response time and difficulty in recovery can ensue, he says.

Organizations are primarily lacking staff with technical expertise, explains Lee Kushner, president of LJ Kushner and Associates. Businesses can buy tools and technologies and services, but it's harder to find people who can manage them.

"We have gaps in really hard technical skills," says Kushner, who has 20 years of experience recruiting InfoSec professionals. "We need people who would deal with advanced incident response, security operations, security analytics, and be able to understand and correct data that is useful to the organization."

Technical-minded employees are harder to find than those with high-level security knowledge. Many companies already have leaders who can speak in broader terms about security but lack the detailed knowledge of how solutions work and ability to advise and guide the business.

Cloud security skills are in especially high demand, says Bestman. Businesses should be on the hunt for security pros who have previously worked with cloud and can engage with business and IT departments to establish risk and manage processes.

However, before they can mature their cybersecurity strategies, companies must first establish strong service management capabilities.

"Too often, we assume the basics are in place when they're not," says Shearer. "For example, too many organizations still wrestle with automated patch management for servers, desktops, and mobile devices. You have to get the basics working really well and build off of those successes."

Smarter Hiring Practices Needed

So how are businesses handling the skill shortage?

"I don't think they're coping at all with it," says Kushner, noting that technical positions remain unfilled for long periods of time. This often creates retention problems as existing security staff must compensate for the shortfall, which results in longer work hours and heightened stress.

In order to secure top talent, businesses need to improve their hiring strategies. This starts with posting a strong and effective job description.

"A lot of times when people are building job descriptions, they're not thinking about how the prospective candidates are viewing the opportunity," Kushner explains. "When job descriptions aren't written well, they're written in ways where the assumption is the targeted candidate is either not working or dissatisfied."

Compensation is a key factor. Oftentimes companies don't meet expectations when they try to recruit outside talent. Either the job description makes candidates feel underqualified, or compensation doesn't match the level of expertise they hope to gain.

Certifications can be helpful to ensure candidates are qualified, but the best ones vary depending on the role, says Bestman.

Some certifications have stood the test of time; for example, the CISSP and CISM are all highly respected and viewed as staples to mid- and senior-level positions. Specific certifications include the CISA for audit skills and Tigerscheme for penetration testing.

Shearer recommends looking for employees with security experience, which is a strong indicator of their abilities.

"Have they thrown their hat in the ring for the tough assignments? This lets you know the degree to which their resolve has been tested," he says. "Attitude is also very important. People with the attitude that they can learn or do just about anything frequently do just that."

This allows businesses to dive into specific skills, depending on what they need; for example, a pen tester, infrastructure security architect, cloud security lead, or secure software developer.

Working Around The Gap

If your business is still hunting for talent or can't afford to hire a technical security expert, there are steps you can take to improve your security strategy.

"Organizations need a comprehensive cybersecurity plan that includes policies, governance, and operation excellence for cyber, information, software, and infrastructure security," says Shearer.

Given the amount of best practice frameworks available, he recommends businesses adopt and operationalize an existing framework instead of developing their own. Options include IT Service Management (ITSM), COBIT for a complementary governance framework, and the National Institute of Standards and Technology (NIST) Risk Management Framework.

Automated patch management also helps, he says. While it's helpful to aggregate logs and use tools like security information event management (SIEM) technologies, this is only useful if there is sufficient staff to act on their findings.

Bestman advocates educating employees on best security practices.

"Implementing a good security awareness program within an organization is crucial," he emphasizes. "This educates all users, whether they're in business or IT, to ensure security is everyone's responsibility and not just the CISO's."

Organizations hoping to compensate for a talent shortage or small security budget may appoint a security awareness officer to educate key stakeholders and everyday users. This won't prevent every breach, but it creates a culture of awareness and emphasizes how security is everyone's responsibility.

Related Content:


Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
9/5/2016 | 12:40:13 PM
If technical skills are in demand, why do we keep pushing non-technical certs?
I love seeing articles like these. I think the industry as whole has way to much emphasis on "High Level Security Skills" and not enough on the skills necessary to create effective operators. 

Along those lines, the CISSP and CISA are not indicators of those skill sets. When I'm looking for talent, the CISSP although not a bad thing to have, is not an indicator of technical skills. That is doubly so for the CISA. The standard in my mind has always been the SANS GIAC certifications. SANS is one of the very few certification tracks that that emphasizes the skills necessary to defend an organization. 

Those of us already in the industry need to work hard at identifying raw talent and finding better ways of building pathways to training. The only way to solve this problem is to create an accessable recrutiment to training program that feeds new talent into the industry. 


User Rank: Apprentice
9/5/2016 | 12:43:04 PM
Security Skills
Very informative read on managing Security skills...


Chief Security Officer
Chief Security Officer,
User Rank: Apprentice
9/11/2016 | 9:06:31 PM
Re: If technical skills are in demand, why do we keep pushing non-technical certs?
To create an accessable recrutiment to training program that feeds new talent into the industry you have to target pools of prospects - academia. The industry needs to actively engage academia to identify those students suitable for specialized training. Offering scholarships for their formal university education could help to entice them into areas of critical need in the industry would be a good idea.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
Another COVID-19 Side Effect: Rising Nation-State Cyber Activity
Stephen Ward, VP, ThreatConnect,  7/1/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-07
RIOT 2020.04 has a buffer overflow in the base64 decoder. The decoding function base64_decode() uses an output buffer estimation function to compute the required buffer capacity and validate against the provided buffer size. The base64_estimate_decode_size() function calculates the expected decoded ...
PUBLISHED: 2020-07-07
Froala Editor before 3.0.6 allows XSS.
PUBLISHED: 2020-07-07
The O2 Business application 1.2.0 for Android exposes the canvasm.myo2.SplashActivity activity to other applications. The purpose of this activity is to handle deeplinks that can be delivered either via links or by directly calling the activity. However, the deeplink format is not properly validated...
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to a cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Map.php xo parameter.
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Assets-Management.php sn parameter.