Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

9/13/2019
01:10 PM
100%
0%

No Quick Fix for Security-Worker Shortfall

Security professionals see acquiring skills as the way forward, but only half of companies are training their workers, with more continuing to search for highly skilled employees.

Although companies realize that skilled security professionals are difficult to hire, they continue to focus on increasing head count rather than training their current employees, according to a survey conducted by the 451 Group.

Yet, offering an opportunity for employees to learn new skills and the potential to advance and develop their careers could actually help firms acquire more dedicated and loyal security teams, according to a report based on the survey results and published this week by managed-security solutions provider eSentire. Eighty-seven percent of respondents maintain that the staffing levels at their organizations are adequate, while 78% of security professionals believe that companies have a gap in needed skills, not in the number of people performing security-related work. 

So, what if your company wants to develop its security team? Train and focus on career path, says Chris Braden, vice president of global channels and alliances at eSentire.

"When you have that sort of shortage, simply getting someone on board in the first place can be a challenge, but companies also need to focus on their strategy to be able to retain them," he says.

The survey underscores one of the paradoxes of the tight labor market in cybersecurity. While training is necessary to develop the skills to allow the security team to do its job, many companies fear that training and certification will allow their security experts to find better-paying jobs at other companies.

And there is some evidence of that. In 2018, the number of cybersecurity-related job posting in the United States increased by 7.2%, but the number of clicks on US cybersecurity jobs decreased by 1.3%, according to job aggregation platform Indeed.com. Currently, the cybersecurity sector does not have enough incoming skilled workers to fill all the necessary positions. Instead, companies are cannibalizing the teams at other firms.

"If you are a company who does not have a series of advanced security-skilled positions available in your organization, you are probably not going to be very proactive about encouraging your employees to get the training, because they are going to use the training to exit the business, more than likely," Braden says.

Train to Retain
At the same time, such training is what convinces skilled workers to stay. Almost two-thirds (63%) of security professionals believe that ongoing education and helping employees get security certifications is the No. 1 effort that could help companies hire and retain personnel, according to the survey. Higher salaries and better benefits came in at No. 2, with 57% of respondents believing that raising pay would help retain employees.

The survey also found a strong link between training opportunities and job satisfaction, with approximately six in 10 of security professionals saying they are satisfied with their jobs also being satisfied with the educational opportunities offered to them, while seven in 10 of those workers unsatisfied with their jobs also are unsatisfied with their options for continuing education.

It even applies to managed service providers, such as his company, Braden says.

"We are not immune to this," Braden says. "But the size of our SOC and the number of people we employ led us to develop an internal training capability — we can train college students into an entry level role and train them as they move up the [career] stack."

A third of respondents — the largest segment — rate learning new skills as their top consideration in job satisfaction. Security professionals who have stayed at their current jobs for longer than five years have the greatest satisfaction with the level of education and training offered by their employers.

Still, not all companies have the need for more advanced positions. Part of the problem for many companies is that they have little way for cybersecurity professionals to advance their careers, says Braden.

"Even with large midmarket companies with 5,000 or 10,000 employees, there may not be a lot of roles requiring security skills that would allow that type of advancement," he says. "I think that skills-gap alignment is really a bigger issue in some ways than the shortfall in security talent itself."

Managed service providers can help mitigate the impact of the lack of security talent, but companies have to take the right approach, Braden says.

"Our model is really not to enable a company to displace their IT security team — those people are valuable and they are hard to get, as we identify in the report," he says. "Instead, companies can use those resources for other purposes. And, if you look at the litany of operational debt items that are typically in a SOC or an IT department, we are talking about the ability to be able to implement software updates and patches, retiring login credentials when someone leaves an organization — they can repoint their people to more productive activities to which they are better suited, rather than processing alerts off a SIEM."

For companies that want to develop their own in-house team, the survey seems to indicate a way forward. Organizations need to have good executive support for whoever is designing and managing the security program, and roles have to be developed that both support the program and allow employees to advance into new positions, Braden says.

Then the head of information security must work with human resources to develop a program to develop and acquire the right talent for those positions and retain them. And, Braden adds, a key part of that is education.

Related Content

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Escaping Email: Unlocking Message Security for SMS, WhatsApp."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16404
PUBLISHED: 2019-10-21
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
CVE-2019-17400
PUBLISHED: 2019-10-21
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
CVE-2019-17498
PUBLISHED: 2019-10-21
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a ...
CVE-2019-16969
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2019-16974
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\contacts\contact_times.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.