The security skills gap continues to expand as more companies realize what they need and, more importantly what they don't have. We need a security minor league system to meet the demand

Mike Rothman, Analyst & President, Securosis

May 6, 2013

4 Min Read

I spend a decent amount of time with CISO-types, and inevitably there are a few topics of conversation that bubble to the top. Advanced attacks is on the list. Most organizations of scale are dealing with some type of advanced attacker and have lots of great stories about being compromised. Many struggle with mobility given that executives want everything on their iPads yesterday. And they all seem to struggle with staffing.

Yes, you read that correctly: Staffing is one of the top three issues that senior security professionals struggle with. To be fair, quite a few also struggle with getting adequate funding and resources, but even if they have budget and open headcount, they can't find the people. Since I don't know much, I ask folks where they get their best candidates. The answers are pretty consistent: internal, military, and IROCs.

The first place you should look is internally. You have great people who could very well be interested in moving over to security. Maybe they are sysadmins, help-desk staffers, or network engineers. They know technology, they've had some experience with security, and they know your organization. Don't minimize the importance of organizational IQ, since they won't have to figure out how to do expense reports or how to get something funded.

The military is also a great place to find security skills. Every first-world nation has both offensive and defensive capabilities. These folks have skills funded by your government. You have to love that. These folks are diligent, understand chain of command, are usually pretty bright, and don't wilt when you are under attack. The problem is, there aren't enough of them, and it's pretty competitive to hire them.

Finally, we have IROCs. That was the term we used back at META Group for new college grads (Idiots Right Out of College). With the increasing number of security programs at universities, we'll continue to see more graduates with security knowledge. But don't mistake knowledge for skills. These are still kids, and they don't have real-world experience. They are projects, so treat them as such. Some will make it, others won't.

But it's still not enough. So you'll need to grow your own. Basically you need to build a security farm team to provide the increasing number of skilled security folks over the next few years. That means internal training, it means taking on a bunch of interns and participating in engineering co-op programs, and it means taking a bunch of your time to grow and nurture the skills you need. And always remember, there is no crying in security.

If there is a way to support your local universities as they ramp up their security curriculum, then do that. I guest lecture at Kennesaw State every semester, and am happy to work with the professors there to refine the program with some real-world perspective. It's all in the name of making the students more useful when they get their first jobs.

But that doesn't solve your problem today, now does it? Depending on your location and wage scale, your job may be even harder. I remember getting out of school, and I took a job in a metropolitan area for less money. Obviously some security roles require on-site presence, so you may not have a choice. But you'd be much better off trying to design your workflows, teams, and job responsibilities within a remote context. With the collaboration technologies available, it's possible and a lot easier than getting a person to move to the middle of nowhere.

I guess there is another option. You could buddy up with security headhunters and have them drop a bunch of paper on your desk every time you have an open position. To be candid, you may have to do some of that for your very specialized position. But this isn't an answer either.

I'll leave you with one last bit of perspective. The top-performing CISOs I talk to take the human resources aspect of their jobs very seriously -- to the point of spending 10 to 15 percent of their time, if not more, to ensure they have adequate skills and resources to meet the commitments they make to the senior team and board of directors. That's another thing they don't tell you before you take the CISO job, now is it?

Mike Rothman is president of Securosis and author of The Pragmatic CSO

About the Author(s)

Mike Rothman

Analyst & President, Securosis

Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and compliance. Mike is one of the most sought after speakers and commentators in the security business and brings a deep background in information security. After 20 years in and around security, he's one of the guys who "knows where the bodies are buried" in the space.

Starting his career as a programmer and a networking consultant, Mike joined META Group in 1993 and spearheaded META's initial foray into information security research. Mike left META in 1998 to found SHYM Technology, a pioneer in the PKI software market, and then held VP Marketing roles at CipherTrust and TruSecure - providing experience in marketing, business development, and channel operations for both product and services companies.

After getting fed up with vendor life, he started Security Incite in 2006 to provide the voice of reason in an over-hyped yet underwhelming security industry. After taking a short detour as Senior VP, Strategy and CMO at eIQnetworks to chase shiny objects in security and compliance management, Mike joins Securosis with a rejuvenated cynicism about the state of security and what it takes to survive as a security professional.Mike published "The Pragmatic CSO" in 2007 to introduce technically oriented security professionals to the nuances of what is required to be a senior security professional. He also possesses a very expensive engineering degree in Operations Research and Industrial Engineering from Cornell University. His folks are overjoyed that he uses literally zero percent of his education on a daily basis.

He can be reached at [email protected]. Follow him on Twitter @securityincite

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights