According to the Cisco Annual Security Report 2014 (graphic below), there are approximately one million unfilled Security jobs worldwide. The supposed ‘war on talent’ (a phrase I hugely dislike I must add) is nothing new, but to a lot of people data breaches and information security flaws are featuring in the mainstream news streams for the first time. So how do we as an industry go about attracting and, possibly more importantly, retaining top talent in Security? It got me thinking about some relatively simple steps that could be taken in the short term.
I specialise in recruiting Security professionals into End Users and Enterprises, and because of this I am privy to quite varying levels of maturity within internal and external security processes and policies. I am also able to speak with some incredible clients and candidates on a daily basis who are able to share stories of companies that lack genuinely specialist Information or IT Security teams or have poorly implemented policies (I’m fortunate to deal with companies that have quite excellent policies and teams in place at the same time, but that is for another blog!).
My point being, I feel there are two main ‘problems’ to overcome which will help bridge the talent gap.
Firstly, a lot of firms still seem to neglect how severe cyber threats genuinely are. The results of a recent study by Atomic Research () prompted many industry commentators to remark how “nearly all recently publicly declared breaches had gone on for months without detection”. Many of the CIO’s and CISO’s I speak with still feel that Security is viewed as a ‘bolt on’ rather than critical infrastructure in today’s business world. Because of this, opportunities are not being created for candidates to either enter the market or expand on their skill sets. With a lack of investment comes an unfortunate lack of up skilling, therefore the talent pool is not growing leaving opportunities unanswered.
A lot of the time security is seen as expensive, whether it is the processes and technology to be put into place or the staff being hired. So is there a way around one of those problems? Could firms open up positions to school leavers as well as graduates, or candidates with lower levels of experience but an eagerness to progress in our ever expanding industry? Again I often speak to candidates who despite having some industry experience cannot make the next step in their careers and feel that they stagnate without the opportunities to grow their knowledge and help protect their employers from ever changing breaches.
Secondly, and perhaps more simply, is how employers raise employee’s awareness of IT and Information Security. I read recently about how Channel 4 and AXA approach their employees and hold ‘drop in sessions’ about protecting their own devices, and therefore hoping they adopt the same mindset in the workplace. Relatively straightforward initiatives like this will help raise the profile of Security and perhaps increase interest from those that hadn’t previously thought about entering our industry. Whilst this isn’t the answer to all of our problems, it may certainly help make that gap a little bit smaller. Do you feel that your company could do something similar to help ease the gap?
I think if the industry opens up to those two points, amongst others, then the gap could start to bridge.
Jason Waterman, Principcal Consultant at Badenoch & Clark, @JasonWatermanBC
Jason has over 6 years recruitment experience purely within the security and technology markets. His aim is to develop long term, lasting partnerships with key decision makers, providing proven, cost effective and bespoke, recruitment delivery solutions whilst also building constructive and equally as important relationships with candidates. He has held a MIRP CertRP (REC) qualification since 2009 and was an Ambassador for the Institute of Recruiters (IOR) for over a year.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.