Security leaders say they expect demand for talent to outstrip supply for at least the next several years. Your task: develop staffing plans that recognize that reality.
The numbers aren’t encouraging for CISOs looking to hire security professionals: The U.S. cybersecurity labor market is short about 500,000 workers, according to a recent report from the nonprofit training group (ISC)².
Here’s more discouraging news: That same report, the 2019 (ISC)² Cybersecurity Workforce Study, estimated that the U.S. cybersecurity workforce must grow by 62% to meet the business demands for talent. Globally, the numbers are even more daunting. The group calculated that the global cybersecurity workforce needs to grow by 145% to eliminate the skills gap.
The numbers aren’t particularly surprising, according to leading security authorities who say the report quantifies their hiring experience.
“Yes, we do have a shortage in cyber, and it’s not going to be fixed any time soon. It’s not a field where you can become an expert overnight,” says Keith Palmgren, a senior instructor with the SANS Institute, a nonprofit training organization, and author of SANS SEC301: Introduction to Cyber Security.
Although the significant lack of cybersecurity professionals creates challenges for CISOs, Palmgren, veteran CISOs and management leaders say the problem is exacerbated by the fact that many enterprise security teams don’t have a talent acquisition and retention strategy that’s aligned to business needs and market realities.
What’s the solution? These experts say CISOs should first concentrate on developing a strategy to more efficiently and effectively build the teams they need while also recognizing the limits of a tight labor market.
“Most organizations don’t have a workforce strategy when it comes to security. They don’t know what they want in terms of people, skills and talents six months to a year from today. They’re stuck hiring for positions they needed six to 12 months ago. And if you ask CISOs what they need in a year, they don’t know. That cycle will always keep them lagging behind,” says Sam Olyaei, a director at Gartner Research, where he is a part of the Risk and Security Management group.
Although the (ISC)² report does confirm an overall talent shortage, there are some skills in higher demand and thus remain some of the hardest to find. Security professionals with experience in securing internet of things (IoT) deployments, running penetration tests, building secure infrastructure (particularly in the cloud), threat modeling and designing secure code in a DevOps or Agile shop are highly prized in the job market.
Other sought-after professionals include security analysts and forensics analysts as well as experts in implementing controls and risk management frameworks.
And any security pro with technical skills as well as strong soft skills (such as communication and collaboration skills) combined with business acumen are in the highest demand, says Greg Layok, managing director with West Monroe Partners and a leader of the management consulting firm’s technology practice.
Such observations align with who’s making the highest pay in the field. Mondo, the national staffing agency, reported in its 2019 Tech & Digital Marketing Salary guide that the top-paid professionals in this space are IS managers with a pay range of $120,000 to $185,000; application security engineers with pay from $120,000 to $182,500; network security engineers who make $115,000 to $172,500; and cybersecurity engineers at $110,000 to $165,000 in annual pay.
Misaligned skills, roles
As the CISO at LEO Cybersecurity and the former CISO at U.S. Army Healthcare, Heath Renfrow acknowledges the challenges he and others face when filling roles.
“Everyone on this planet is realizing the real threat to their companies in the cyber realm, and is desperately trying to get a hold and improve their cyber security postures. Almost every senior cyber security director/CISO I know has key positions open; it is no different with my current company or when [I was] with the DoD,” he says.
But he and other top security executives say the skills gap is not just about the talent shortage but missteps in how CISOs craft the positions they need.
They say CISOs tend to build positions that require a successful candidate to have multiple credentials combined with at least several years’ experience and knowledge of the multiple specific security-related software tools implemented within the CISO’s own enterprise. CISOs thereby set such unrealistic expectations for open positions that they almost guarantee they won’t find a qualified candidate, which only further fuels the sense that there’s a security staffing crisis.
“They often create roles based on the tools they’re managing, and each organization has their own blend of tools they’re using, so it gets hard to fill the role because they have multiple tools that they now need to have an expert in those exact tools, so they need to find a unicorn,” says Nate Ulery, a managing director with West Monroe Partners and another leader in its technology practice.
Just blindly building a job description with standard cyber professional language isn’t going to do you any good.— Heath Renfrow
Experts say that relates to an overarching tendency among many enterprise security executives to misalign the roles and the skills they say they need with the actual risks to the individual organizations.
“Just blindly building a job description with standard cyber professional language isn’t going to do you any good. Write a job description that is specific to the actual job duties that address the risk or risks the person will need to mitigate, and from there you can start building the team you need to tackle those foundational challenges,” Renfrow says.
He adds: “The key to truly building a sound cybersecurity program is to build a strong business relationship with your executive peers, listen to their needs and objectives, and learn how to complement those from a cybersecurity perspective.”
Gartner holds a similar position, advising CISOs in its 2019 white paper Focus on Competencies to Establish Security and Risk Expertise in a Digital World that enterprise security “leaders must look past the skills shortage to identify and develop relevant competencies for their workforce to ensure alignment with digital business objectives.”
Olyaei says CISOs should develop their personnel strategy in conjunction with their overall security roadmap, which should include automating manual tasks to divert precious staff time to higher-value jobs and outsourcing commodity tasks such as monitoring so staff can focus on the unique needs of their enterprise such as risk assessment and governance.
He says CISOs should also be assessing their organizations against a staffing framework to determine what they have for competencies as well as identifying and developing the competencies the security team needs now and into the future to support the business agenda.
“They should be matching these competencies to roles they think fit those competencies,” he adds, explaining that someone with collaborative and communication skills, for example, would fit well in a risk assessment position.
Olyaei also notes that such an approach allows CISOs to broaden their candidate pool by focusing their search on competencies, which can be found in workers from disciplines outside of security as well. Someone in finance, he notes, may have the collaborative and communication skills as well as the risk assessment background a CISO needs for a risk assessment job.
“Why wouldn’t we pull someone really good at data analysis and train them to look at the security data?” asks Candy Alexander, an independent security consultant and international president of the Information Systems Security Association (ISSA). “We need to do more of the cross-career training to get the experienced resource pool we need.”
Train, and retain
Security leaders say they expect demand for talent to outstrip supply for at least the next several years, so CISOs must develop staffing plans that recognize that reality.
Ulery says CISOs can prepare for the future by focusing on training and retraining as much as they do on recruitment efforts. His firm advises CISOs to cross-train their existing staff on the security tools used within their enterprise so that the team can better handle a departure and so they can expand their own skills as well. He also recommends giving workers new opportunities within the organization, which he sees as another key way to build bench strength and boost retention.
Palmgren, the SANS instructor, says CISOs also must work to address the sometimes unwelcoming, and even hostile, environment that can exist in cybersecurity, particularly for newly minted professionals and women. “How do we expect them to come into the industry if we treat them [poorly]?” he asks, noting that CISOs who guard against such behavior are more likely to have solid teams with less turnover.
Others make similar suggestions, noting that CISOs can’t afford to have a poor workplace culture if they want to attract and retain good employees.
“CISOs need to build the right culture and take care of their people, so they can keep their attrition low,” says Mike Mosunic, co-founder and CEO of Wolf Hill Group, a national recruitment firm focused on cybersecurity. “Most CISOs cannot afford to lose people on their team.”
Mosunic and others say that CISOs, facing a lack of ready-made employees, must be more focused on growing their own talent, finding workers with as many of the competencies that they’re seeking to meet the unique security needs of their own organization and training them on the technical skills they’ll require into the future.
That, experts say, could help begin to close the skills gap – at least within the CISO’s own individual security group.
“It’s those CISOs who develop talent,” Ulery says, “who will be better at retaining and also recruiting the workers they need.”