If you're struggling to hire employees for your cybersecurity team, you're not alone. A security skill shortage is leaving businesses across industries vulnerable to attacks.
As cyberthreats become more complex and dangerous, IT departments are challenged to find employees with the skill sets to discover vulnerabilities and employ sophisticated protective technologies to address them.
The talent shortage affects businesses in several ways; the greatest being the additional risk they must assume. However, without the right skills on board, many organizations are unaware of how vulnerable they are.
"Frankly, without the qualified staff to adequately valuate information assets of a business and develop a reasonable sense of their cyber value at risk, many businesses don't know what they don't know," explains David Shearer, CEO of (ISC)².
As organizations fiercely compete to hire top security practitioners, it's important to be aware of how big the problem is, which skills they need, and how they can compensate for a lack of talent to stay secure.
The Problem Is Severe
Experts agree: the lack of talent is a major problem across the economy.
"There is a severe security skill shortage in businesses," says Owanate Bestman, information security contract consultant at Barclay Simpson. "We see the general economic slowdown hasn't affected job flow at all within security."
The shortfall is widespread but some industries are more affected than others, he says. Financial services companies, for example, have advanced systems to protect sensitive data, but their tools are not fully utilized because employees lack the expertise.
In a 2015 Global Information Security Workforce Study, (ISC)²'s Center for Cyber Safety and Education predicts there will be a shortfall of 1.5 million professionals worldwide by 2020 if the shortfall is not addressed. Less than 6% of the study's 13,930 respondents are under the age of 30, which paints a bleak picture for the future of the industry.
(ISC)²'s Shearer points out that undetected breaches can be attributed to lack of security staff. Poor incident response time and difficulty in recovery can ensue, he says.
Organizations are primarily lacking staff with technical expertise, explains Lee Kushner, president of LJ Kushner and Associates. Businesses can buy tools and technologies and services, but it's harder to find people who can manage them.
"We have gaps in really hard technical skills," says Kushner, who has 20 years of experience recruiting InfoSec professionals. "We need people who would deal with advanced incident response, security operations, security analytics, and be able to understand and correct data that is useful to the organization."
Technical-minded employees are harder to find than those with high-level security knowledge. Many companies already have leaders who can speak in broader terms about security but lack the detailed knowledge of how solutions work and ability to advise and guide the business.
Cloud security skills are in especially high demand, says Bestman. Businesses should be on the hunt for security pros who have previously worked with cloud and can engage with business and IT departments to establish risk and manage processes.
However, before they can mature their cybersecurity strategies, companies must first establish strong service management capabilities.
"Too often, we assume the basics are in place when they're not," says Shearer. "For example, too many organizations still wrestle with automated patch management for servers, desktops, and mobile devices. You have to get the basics working really well and build off of those successes."
So how are businesses handling the skill shortage?
"I don't think they're coping at all with it," says Kushner, noting that technical positions remain unfilled for long periods of time. This often creates retention problems as existing security staff must compensate for the shortfall, which results in longer work hours and heightened stress.
In order to secure top talent, businesses need to improve their hiring strategies. This starts with posting a strong and effective job description.
"A lot of times when people are building job descriptions, they're not thinking about how the prospective candidates are viewing the opportunity," Kushner explains. "When job descriptions aren't written well, they're written in ways where the assumption is the targeted candidate is either not working or dissatisfied."
Compensation is a key factor. Oftentimes companies don't meet expectations when they try to recruit outside talent. Either the job description makes candidates feel underqualified, or compensation doesn't match the level of expertise they hope to gain.
Certifications can be helpful to ensure candidates are qualified, but the best ones vary depending on the role, says Bestman.
Some certifications have stood the test of time; for example, the CISSP and CISM are all highly respected and viewed as staples to mid- and senior-level positions. Specific certifications include the CISA for audit skills and Tigerscheme for penetration testing.
Shearer recommends looking for employees with security experience, which is a strong indicator of their abilities.
"Have they thrown their hat in the ring for the tough assignments? This lets you know the degree to which their resolve has been tested," he says. "Attitude is also very important. People with the attitude that they can learn or do just about anything frequently do just that."
This allows businesses to dive into specific skills, depending on what they need; for example, a pen tester, infrastructure security architect, cloud security lead, or secure software developer.
Working Around The Gap
If your business is still hunting for talent or can't afford to hire a technical security expert, there are steps you can take to improve your security strategy.
"Organizations need a comprehensive cybersecurity plan that includes policies, governance, and operation excellence for cyber, information, software, and infrastructure security," says Shearer.
Given the amount of best practice frameworks available, he recommends businesses adopt and operationalize an existing framework instead of developing their own. Options include IT Service Management (ITSM), COBIT for a complementary governance framework, and the National Institute of Standards and Technology (NIST) Risk Management Framework.
Automated patch management also helps, he says. While it's helpful to aggregate logs and use tools like security information event management (SIEM) technologies, this is only useful if there is sufficient staff to act on their findings.
Bestman advocates educating employees on best security practices.
"Implementing a good security awareness program within an organization is crucial," he emphasizes. "This educates all users, whether they're in business or IT, to ensure security is everyone's responsibility and not just the CISO's."
Organizations hoping to compensate for a talent shortage or small security budget may appoint a security awareness officer to educate key stakeholders and everyday users. This won't prevent every breach, but it creates a culture of awareness and emphasizes how security is everyone's responsibility.