An increasingly complex security landscape, combined with a challenging threat environment, is putting pressure on many organisations to fill the security skills gaps in their workforce.
Then the additional demands placed on businesses to cope with changing compliance and regulation requirements, driven currently by the EU General Data Protection Regulation (GDPR), is creating a ‘perfect storm’ in terms of recruiting the right skills and resources to meet these growing demands.
It is estimated that there are 1 million unfilled security jobs worldwide. According to an ISC2 survey, the number of unfilled cybersecurity jobs globally will rise to 1.8m by 2022, a 20% increase from 2015.
This lack of dedicated resources to keep pace with a growing range and number of threats means that it will be no longer possible for many companies to tackle all aspects of cybersecurity in-house. The skills gap is leading to a gap in an organisation’s risk posture, potentially exposing them to unnecessary risks.
With the GDPR set to impose tough new standards, along with punitive fines for failing to protect data, it means that many in-house security teams will be left struggling to cope with new regulatory challenges at a time when they are woefully under-resourced.
Finding resources is certainly a challenge for companies today, but finding and recruiting the right people is absolutely critical. When it comes to recruitment, it is important to review your recruitment strategy to ensure it is fit for purpose.
You will need IT security staff – specialists in compliance, digital forensics, incident response, threat intelligence and analytics – but don’t ignore people from outside typical IT security roles.
The ISC2 report shows that 30% of employees have launched a cybersecurity career after holding a non-technical job in business, accounting or marketing, demonstrating that individuals with good communications, people and business skills can also make an important contribution within the IT team.
Do not underestimate the complexity of your operations either. In an IT security department, you need people with a range of skills, but often they don’t have a broad enough skill set to cover all that is required of them. If you want your IT security staff to ‘wear many hats’ recruit them accordingly or train them up to the standard required.
Above all, we need to do more to encourage people to consider a career in security. The industry, business and government must get better at educating teachers and careers advisors at schools, colleges and universities to fundamentally change the way people view working in the industry.
The disconnect between what a manager expects and what a new team member requires for a successful and rewarding career is something that needs to change if the cybersecurity skills shortage is to be addressed.
Recruiting and managing a team of security professionals brings its own challenges, unique to other departments and roles within a business. There are the obvious ones, such as the cost of recruitment and the length of time and commitment in filling each position. Then there is the need to train individuals and keep their skills and certifications up to date – often very demanding within a cybersecurity role as threats evolve and technologies change. .
One option is to outsource these skills to avoid the cost, time and frustration of this process, which may have to be repeated if someone decides to leave (along with their knowledge and skills). Being able to outsource some or all of these skills to an end to end provider of cybersecurity services can help close the gap, as they focus on providing the right people with the right skills at the right time.
There are simply not enough qualified security experts entering the workforce today and there is no silver bullet to alleviate the problem. Cybersecurity needs to be seen as a career choice in order to attract more people into the profession. There’s never been a more important time to make this a career of choice.