Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

6/27/2018
01:26 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

The 3 R's for Surviving the Security Skills Shortage

How to recruit, retrain, and retain with creativity and discipline.

As threats escalate and enterprise cybersecurity teams struggle to build teams that can handle mounting volumes of work, the hue and cry over the cybersecurity skills shortage continues to grow more urgent by the year.

In fact, a study released earlier this year from Enterprise Strategy Group (ESG) shows that over the past four years, the percentage of IT leaders who complained about a problematic shortage of cybersecurity skills has more than doubled. Security skills, according to ESG, are the shortest in supply, ahead of IT architecture and planning, and server and virtualization administration, which were numbers two and three, respectively. 

If organizations are to survive this skills crunch, they're going to need to get creative about how they build their teams. According to many longtime security experts, this means rethinking the basics. Fundamental to the process is for organizations to be both disciplined and open-minded as they recruit, retrain, and retain staffers.

Here's what the experts say it will take to leverage these three R's.

Recruit
Organizations often get so hung up with checking off a laundry list of resume prerequisites — either specific security certifications, technology proficiencies, exact numbers of years in the industry, or all of the above — that they eliminate excellent candidates from the pool before they've even started recruited. 

"It's important to think outside the box and be open-minded when recruiting security talent. Throw stereotypes out the window and focus on understanding the types of people you are looking to hire," says Jennifer Sunshine Steffens, CEO of IOActive. "They may not have degrees or certifications, they may not have years of experience in security, and they may not wear hoodies." 

As Steffens and others explain, security is more of a way of life and a mode of thinking, so recruitment should be about filtering by personality types and mentalities more so than by checklists. Security recruiters who focus more on picking people who can round out a team rather than filling an exact role will see greater success down the line, says David Emerson, CISO for Cyxteram. This is particularly important considering that the pace of change is going to make those checklist items obsolete in a few years anyway. The more important thing is finding someone who can grow with the team.

"The person you need now is not necessarily the person you need one year from now, or three years from now, so make sure your hires have enduring characteristics, such as dedication and a penchant for collaborative problem solving, not merely point-in-time qualities or trendy resume points," Emerson warns.

Organizations should be similarly creative about where and how they run recruitment drives, Steffens adds. 

"In cybersecurity, we've found some of the best talent by looking outside the industry 'norms.' Sure, recruitment at college fairs and offering internship programs will yield great candidates, but with 2 million jobs openings, the talent must come in nontraditional ways," she says. "At IOActive, recruiting is part of our everyday lives. We travel around the world attending conferences, hosting events, and visiting hackerspaces to find the right talent."

Finally, if you absolutely must fill a specific list of resume metrics, then you'll need to ensure that what you offer a candidate is on track with market realities.

"[Organizations] will need to open their wallets and clearly define their cultural identity to win the affections of those who are already established as leaders in the field," says Jared Coseglia, CEO of TRU Staffing Partners, a recruiter specializing in cybersecurity.

Retrain
Hiring based on potential is important, but to get the most out of all that latent ability you'll need to actually give employees the opportunity to make good on it. Training is crucial to helping existing staff keep up with current trends and develop those promising new recruits. 

"Companies that don't provide the space and the time for their security staff to keep their skills sharp are setting themselves up to fail," says Ryan Barrett, vice president of security for Intermedia. "Companies with successful security teams give them the time to conduct internal evaluations and regularly send them to security conferences for fresh perspectives and hands-on training."

Training can also be a huge tool for reducing cybersecurity recruitment spending when it is used to retrain or cross-train smart people who already work for the organization in different roles outside of security. According to Coseglia, this can be a very clever way to bridge gaps that can't be filled by external recruitment. 

"Pull professionals who know your culture and know your data from tertiary departments and reinvest in them rather than rely exclusively on external hires," he says. "For example, many corporations and consulting firms are transitioning tech savvy e-discovery or forensic investigation professionals into cyber-centric roles. These individuals often have the technical, business savvy, customer service, and/or project management skills needed to step in and provide leadership once trained on specific areas of cybersecurity."

One of the biggest mistakes organizations make is undervaluing the potential that existing IT employees could have to become excellent cybersecurity staffers, agrees Frank Downs, senior manager of Cyber Information Security Practices at ISACA. 

"Many of these people long to stay relevant within the organization but are not provided the funding or the mechanisms to cross-train," Downs says. "Many IT professionals want to become cybersecurity relevant. For the cost of some additional education, organizations can have someone who is familiar with the corporate rules and culture [that are] directly applicable to the cybersecurity needs."

Retain
Finally, organizations need to remember that simply filling a role is just the start to solid cybersecurity team-building. Even more important is ensuring that those roles remained filled for as long as possible.

This doesn't happen magically. Security managers must develop a sound retention strategy if they want to remain fully staffed in such a competitive market.

"As long as demand for experienced professionals remains high and supply low, a good retention strategy is crucial," says Tom Gilheany, portfolio manager of security training and certifications for Cisco Services. "Retention isn't necessarily driven by higher salaries alone. Research has shown that other factors play a surprisingly strong role when it comes to employee retention."

This means offering employees career and skills development programs and providing a clear path for growth in their roles and responsibilities.

"You can't hire and retain top cybersecurity professionals without presenting them with growth opportunities and a career path," says Drew Nielsen, CISO of Druva. "Hiring managers also have to consider and improve on company culture to attract top talent." 

Coseglia agrees that culture is the secret sauce for hanging on to the best and brightest. 

"Culture is key to the top echelon of cyber professionals," he says. "Culture can mean different things to different organizations. Some cultures offer advanced challenges, and the nature of their work becomes an enticement, while others offer cultural lifestyle differentiations." 

So whether it is giving staff the opportunity to hack into blockchain technology or the artificial intelligence of driverless cars, or it is giving them more flexibility to work from home to achieve a work/life balance, employers must up their game in making their companies a place where security pros want to set down roots.

Related Content:

 

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "SpearPhish! Everyone out of the office!"
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1919
PUBLISHED: 2019-07-17
A vulnerability in the Cisco FindIT Network Management Software virtual machine (VM) images could allow an unauthenticated, local attacker who has access to the VM console to log in to the device with a static account that has root privileges. The vulnerability is due to the presence of an account w...
CVE-2019-1920
PUBLISHED: 2019-07-17
A vulnerability in the 802.11r Fast Transition (FT) implementation for Cisco IOS Access Points (APs) Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected interface. The vulnerability is due to a lack of complete error handling conditi...
CVE-2019-1923
PUBLISHED: 2019-07-17
A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device. The vulnerability is due to improper input validation in the device configuration interface. An attacker could exploit this vulnerability by access...
CVE-2019-1940
PUBLISHED: 2019-07-17
A vulnerability in the Web Services Management Agent (WSMA) feature of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data using an invalid X.509 certificate. The vulnerability is due to insufficient X.509 certifi...
CVE-2019-1941
PUBLISHED: 2019-07-17
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability exists because th...