Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

9/13/2019
01:10 PM
50%
50%

No Quick Fix for Security-Worker Shortfall

Security professionals see acquiring skills as the way forward, but only half of companies are training their workers, with more continuing to search for highly skilled employees.

Although companies realize that skilled security professionals are difficult to hire, they continue to focus on increasing head count rather than training their current employees, according to a survey conducted by the 451 Group.

Yet, offering an opportunity for employees to learn new skills and the potential to advance and develop their careers could actually help firms acquire more dedicated and loyal security teams, according to a report based on the survey results and published this week by managed-security solutions provider eSentire. Eighty-seven percent of respondents maintain that the staffing levels at their organizations are adequate, while 78% of security professionals believe that companies have a gap in needed skills, not in the number of people performing security-related work. 

So, what if your company wants to develop its security team? Train and focus on career path, says Chris Braden, vice president of global channels and alliances at eSentire.

"When you have that sort of shortage, simply getting someone on board in the first place can be a challenge, but companies also need to focus on their strategy to be able to retain them," he says.

The survey underscores one of the paradoxes of the tight labor market in cybersecurity. While training is necessary to develop the skills to allow the security team to do its job, many companies fear that training and certification will allow their security experts to find better-paying jobs at other companies.

And there is some evidence of that. In 2018, the number of cybersecurity-related job posting in the United States increased by 7.2%, but the number of clicks on US cybersecurity jobs decreased by 1.3%, according to job aggregation platform Indeed.com. Currently, the cybersecurity sector does not have enough incoming skilled workers to fill all the necessary positions. Instead, companies are cannibalizing the teams at other firms.

"If you are a company who does not have a series of advanced security-skilled positions available in your organization, you are probably not going to be very proactive about encouraging your employees to get the training, because they are going to use the training to exit the business, more than likely," Braden says.

Train to Retain
At the same time, such training is what convinces skilled workers to stay. Almost two-thirds (63%) of security professionals believe that ongoing education and helping employees get security certifications is the No. 1 effort that could help companies hire and retain personnel, according to the survey. Higher salaries and better benefits came in at No. 2, with 57% of respondents believing that raising pay would help retain employees.

The survey also found a strong link between training opportunities and job satisfaction, with approximately six in 10 of security professionals saying they are satisfied with their jobs also being satisfied with the educational opportunities offered to them, while seven in 10 of those workers unsatisfied with their jobs also are unsatisfied with their options for continuing education.

It even applies to managed service providers, such as his company, Braden says.

"We are not immune to this," Braden says. "But the size of our SOC and the number of people we employ led us to develop an internal training capability — we can train college students into an entry level role and train them as they move up the [career] stack."

A third of respondents — the largest segment — rate learning new skills as their top consideration in job satisfaction. Security professionals who have stayed at their current jobs for longer than five years have the greatest satisfaction with the level of education and training offered by their employers.

Still, not all companies have the need for more advanced positions. Part of the problem for many companies is that they have little way for cybersecurity professionals to advance their careers, says Braden.

"Even with large midmarket companies with 5,000 or 10,000 employees, there may not be a lot of roles requiring security skills that would allow that type of advancement," he says. "I think that skills-gap alignment is really a bigger issue in some ways than the shortfall in security talent itself."

Managed service providers can help mitigate the impact of the lack of security talent, but companies have to take the right approach, Braden says.

"Our model is really not to enable a company to displace their IT security team — those people are valuable and they are hard to get, as we identify in the report," he says. "Instead, companies can use those resources for other purposes. And, if you look at the litany of operational debt items that are typically in a SOC or an IT department, we are talking about the ability to be able to implement software updates and patches, retiring login credentials when someone leaves an organization — they can repoint their people to more productive activities to which they are better suited, rather than processing alerts off a SIEM."

For companies that want to develop their own in-house team, the survey seems to indicate a way forward. Organizations need to have good executive support for whoever is designing and managing the security program, and roles have to be developed that both support the program and allow employees to advance into new positions, Braden says.

Then the head of information security must work with human resources to develop a program to develop and acquire the right talent for those positions and retain them. And, Braden adds, a key part of that is education.

Related Content

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Escaping Email: Unlocking Message Security for SMS, WhatsApp."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16317
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerabi...
CVE-2019-16318
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.
CVE-2019-16307
PUBLISHED: 2019-09-14
A Reflected Cross-Site Scripting (XSS) vulnerability in the webEx module in webExMeetingLogin.jsp and deleteWebExMeetingCheck.jsp in Fuji Xerox DocuShare through 7.0.0.C1.609 allows remote attackers to inject arbitrary web script or HTML via the handle parameter (webExMeetingLogin.jsp) and meetingKe...
CVE-2019-16294
PUBLISHED: 2019-09-14
SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.
CVE-2019-16309
PUBLISHED: 2019-09-14
FlameCMS 3.3.5 has SQL injection in account/login.php via accountName.