The IT skills shortage around information security has been a hotly debated topic for many years, and many experts suggest it will only get worse. The unfortunate truth? Those experts seem to be right. According to the ClubCISO Information Security Maturity Report 2017, 48% of CISOs say their organisations struggle to attract or retain good quality information security staff, and as recently as 2016, the same group of CISOs, reported that retention got worse in 40% of companies.
This news comes at a critical juncture for the UK businesses — who are facing both the General Data Protection Regulation (GDPR) and uncertainty around not only Brexit itself, but also the potential changes in free movement of European workers. It is likely both of these factors will require even more cyber security skills to mitigate risks in businesses.
In addition, organisations are often asking too much of the employees they do have — because of limited options (and budget constraints), many are looking for security professionals who can do everything. Not only are these people much harder to find, this ‘hero resourcing’ leaves organisations vulnerable. Say that person leaves, most, if not all of the company’s security skills go with them. It is much safer for organisations to spread their talent across a whole team. Needless to say, this can be a daunting prospect when so many companies struggle to find just one person who is the right fit.
The question is, how do businesses even begin to shore up their talent pools?
Think laterally, not vertically
Perhaps it’s time to start to think laterally about recruiting cyber security talent. 69% of today’s CISOs report that they started their careers in technology or engineering, some come from armed forces or physical security backgrounds, and nearly one-in-ten began their careers in financial or operational management. Furthermore, only a surprising 8% have a dedicated degree in information security.
As a comparatively recent vertical within the technology industry, ‘information security’ as we know isn’t a clear cut role, and varies from organisation to organisation. There are extensive benefits from recruiting outside of the traditional IT talent pool. Facility managers, legal professionals, HR executives, crisis comms managers — all of these business decision makers will be used to handling and consulting upon risk in their day-to-day roles.
Admittedly, staff from these roles may not have the deep technical expertise as someone from a more traditional IT background, but as cyber crime transitions to an ever more social engineering-led model — this is becoming less and less of an issue. The business perspectives that these types of people, with these types of responsibilities can offer is often invaluable to reducing organisational risk — supporting the CISO immeasurably.
Investing in people
This is not to say that technical staff shortage is not something to be concerned about. It is. For this reason, it is also time for the current cyber security workforce to start investing in knowledge transfer, especially as low retention rates amongst staff often correlate with a lack of sufficient investment in training and development. By taking novice IT apprentices and training them up to a high standard, they will feel an affinity towards the business that has invested in them, encouraging loyalty, hard work and hopefully — a long tenure.
Another way I have seen organisations deal with their infosec skills shortage is to look to their own internal IT teams. This is a free, readily available talent pool who already understand the business, the existing teams, processes and problems. It is not too much of a jump to evolve an employee’s career path from a traditional IT role (support desk, desktop management) into a security-centric one. This not only breeds loyalty by investing in the skills of current employees, but over time, also builds a good relationship between IT and security.
It is true that much of the skills shortage gets blamed on the labour pool, but in actuality a lot of it has to do with the lack of willingness of many organisations to invest in creating attractive security roles. Those that do ultimately are more successful at recruiting the kind of unconventional problem solvers, and technically minded individuals who become good cyber security professionals. And, you find that those that don’t often blame the poor market condition and get blinkered to the wider situation.
Ultimately, organisations can look to bolster their infosec staff through both a ‘wider net’ and via comprehensive training — but make no mistake, cyber security today is one of the most important areas of organisational resilience and absolutely shouldn’t be overlooked when budgets are being tightened.
– Marc Lueck, ClubCISO Chairman