Although companies realize that skilled security professionals are difficult to hire, they continue to focus on increasing head count rather than training their current employees, according to a survey conducted by the 451 Group.
Yet, offering an opportunity for employees to learn new skills and the potential to advance and develop their careers could actually help firms acquire more dedicated and loyal security teams, according to a report based on the survey results and published this week by managed-security solutions provider eSentire. Eighty-seven percent of respondents maintain that the staffing levels at their organizations are adequate, while 78% of security professionals believe that companies have a gap in needed skills, not in the number of people performing security-related work.
So, what if your company wants to develop its security team? Train and focus on career path, says Chris Braden, vice president of global channels and alliances at eSentire.
"When you have that sort of shortage, simply getting someone on board in the first place can be a challenge, but companies also need to focus on their strategy to be able to retain them," he says.
The survey underscores one of the paradoxes of the tight labor market in cybersecurity. While training is necessary to develop the skills to allow the security team to do its job, many companies fear that training and certification will allow their security experts to find better-paying jobs at other companies.
And there is some evidence of that. In 2018, the number of cybersecurity-related job posting in the United States increased by 7.2%, but the number of clicks on US cybersecurity jobs decreased by 1.3%, according to job aggregation platform Indeed.com. Currently, the cybersecurity sector does not have enough incoming skilled workers to fill all the necessary positions. Instead, companies are cannibalizing the teams at other firms.
"If you are a company who does not have a series of advanced security-skilled positions available in your organization, you are probably not going to be very proactive about encouraging your employees to get the training, because they are going to use the training to exit the business, more than likely," Braden says.
Train to Retain
At the same time, such training is what convinces skilled workers to stay. Almost two-thirds (63%) of security professionals believe that ongoing education and helping employees get security certifications is the No. 1 effort that could help companies hire and retain personnel, according to the survey. Higher salaries and better benefits came in at No. 2, with 57% of respondents believing that raising pay would help retain employees.
The survey also found a strong link between training opportunities and job satisfaction, with approximately six in 10 of security professionals saying they are satisfied with their jobs also being satisfied with the educational opportunities offered to them, while seven in 10 of those workers unsatisfied with their jobs also are unsatisfied with their options for continuing education.
It even applies to managed service providers, such as his company, Braden says.
"We are not immune to this," Braden says. "But the size of our SOC and the number of people we employ led us to develop an internal training capability — we can train college students into an entry level role and train them as they move up the [career] stack."
A third of respondents — the largest segment — rate learning new skills as their top consideration in job satisfaction. Security professionals who have stayed at their current jobs for longer than five years have the greatest satisfaction with the level of education and training offered by their employers.
Still, not all companies have the need for more advanced positions. Part of the problem for many companies is that they have little way for cybersecurity professionals to advance their careers, says Braden.
"Even with large midmarket companies with 5,000 or 10,000 employees, there may not be a lot of roles requiring security skills that would allow that type of advancement," he says. "I think that skills-gap alignment is really a bigger issue in some ways than the shortfall in security talent itself."
Managed service providers can help mitigate the impact of the lack of security talent, but companies have to take the right approach, Braden says.
"Our model is really not to enable a company to displace their IT security team — those people are valuable and they are hard to get, as we identify in the report," he says. "Instead, companies can use those resources for other purposes. And, if you look at the litany of operational debt items that are typically in a SOC or an IT department, we are talking about the ability to be able to implement software updates and patches, retiring login credentials when someone leaves an organization — they can repoint their people to more productive activities to which they are better suited, rather than processing alerts off a SIEM."
For companies that want to develop their own in-house team, the survey seems to indicate a way forward. Organizations need to have good executive support for whoever is designing and managing the security program, and roles have to be developed that both support the program and allow employees to advance into new positions, Braden says.
Then the head of information security must work with human resources to develop a program to develop and acquire the right talent for those positions and retain them. And, Braden adds, a key part of that is education.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Escaping Email: Unlocking Message Security for SMS, WhatsApp."