In the cybersecurity world, we all agree that there is a need for cybersecurity professionals with smarts, knowledge, know-how, as well as a willingness to learn. However, it seems the industry is having an increasingly difficult time finding people to fill their ranks. “According to the 2017 Global Information Security Workforce (GISW) Study, two-thirds of its nearly 20,000 respondents indicated that their organizations lack the number of cybersecurity professionals needed for today’s threat climate.” (a) Recent studies show that the job market for cybersecurity professionals will, by 2021, be more than 3.5 million unfilled jobs within the IT market. Why is it with the abundance of jobs, that the supply of cybersecurity professionals to guard a company’s network is so difficult? More urgently, how does this impact your organization and what can we do about this major issue?
Over qualifications and lack of pay
One of the biggest issues in any highly skilled field is finding people who are qualified for the position. The issue seems to be compounded in security with reports showing hiring personnel must repost cyber security jobs 35% more than other information technology positions because the perfect, qualified candidate has yet to be found. What we are seeing here is that companies would rather hire turnkey security professionals than investing in the training and grooming that would come with hiring someone less qualified. More often than not you hear of a company that, in their job posting, asks for cybersecurity experience or a degree. Then tell potential employees that they are looking for someone with knowledge of how to use the specific tools they use immediately and cannot afford to train the person. However the salary range may not be the fault of the company alone, in fact, many state governments are finding it hard to staff their cybersecurity staff due to a lack of funding. “States aren’t receiving sufficient funding to do what’s necessary. A lot is because of how federal grants are structured,” said Mitch Herckis, NASCIO’s director of government affairs. (b) In a job market where the skills needed are constantly increasing and evolving, companies must be willing to evolve with the market, in relation to their pay scale.
Companies that are struggling to find a good cyber-security force often overlook the talent both inside and outside that may not be tailor-made to their job posting. Cross-training current staff members, especially those who already exist within the company’s Information Technology department, is a solution that is often overlooked, possibly due to the cost of training and grooming. This can easily be achieved through job rotation programs, in which staff fills in for security roles for a set amount of time, allowing everyone to pick up the necessary security skills your company requires. Another option for companies is to work with local universities to create paid internships for students as well as recent graduates. This would allow the company to build the security professional they are seeking from the ground up, and tailor them for what they are seeking.
Education and Training are time-consuming
As any entry-level security professional can tell you, earning certifications or getting a degree in the cyber security field is time-consuming and expensive. The issue becomes compounded when you consider that because cybersecurity is an ever-evolving landscape these professionals must continuously train to maintain or earn new certifications. While it should seem obvious that cyber security professionals should keep their skills and knowledge up to date, sadly this is not always the case. This is in part due to the fact that at least two-thirds, or 67%, of cybersecurity professionals, admit that keeping up with training is difficult for two reasons, not knowing what
the company would like them to receive further training in, as well as lack of time due to the demands of their jobs. These issues can be easily remedied by an internal skills audit, addressing workloads by investing in security automation would provide for a more secure environment in the long run alone, while saving money in manpower. This can be achieved with several products, with the top contenders according to Gartner such as Diemistro and Firemon. These simple changes can help turn a company’s already in place cybersecurity staff into more knowledgeable better-trained professionals that can offer a company better security in the long run.
Outsourcing; in the cybersecurity world it isn’t a dirty word
The final thing to consider when searching for cybersecurity professionals for a company is: has the company considered outsourcing their cybersecurity staff? It is important to mention that this is not placing your security into the hands of a foreign country or a perhaps less than reputable business, it’s using a security reseller as well as a managed security service provider (MSSP). Security resellers such as Baton Rouge’s SecureNation can help alleviate some of the struggles in protecting a network and finding the right fit for a company’s cyber security by suggesting and negotiating with disruptive security vendors to help better tailor a cyber security landscape for a company.
MSSP’s, such as Secureworks, Jask, and Artic Wolf, can help alleviate the need to hire in the already trained professional by providing services such as Security Operations Center as a service, and security orchestration. This would allow companies to fill the needed of cybersecurity professionals where budgets may not allow for new full-time employees.
(a) Oltsik, J., & Oltsik, J. (2017, December 05). Cybersecurity professionals aren't keeping up with training. Retrieved from https://www.csoonline.com/article/3240245/cybersecurity-professionals-arent-keeping-up-with\ training.html
(b) Oltsik, J., & Oltsik, J. (2017, December 05). Cybersecurity professionals aren't keeping up with training. Retrieved from https://www.csoonline.com/article/3240245/cybersecurity- professionals-arent-keeping-up-with-training.html