How Your Organization Can Overcome the Cyber Skills Shortage

Against the backdrop of an active threat landscape and an escalating number of cyber security attacks, many companies face the harsh reality that there just isn’t enough skilled talent to go around to adequately safeguard their IT infrastructure.

In its 2017 Internet Security Threat Report (ISTR) Symantec reported that 7.1 billion identities had been exposed through data breaches over the last eight years. And it’s not just big-name retailers and financial institutions that are in the cross-hairs; attackers are also increasingly launching attacks against small and mid-sized companies.

The material cost is formidable with damages related to cyber crime globally expected to reach $6 trillion annually by 2021. Meanwhile, organizations are projected to spend $1 trillion on cyber security cumulatively from 2017 to 2021 to combat growing cyber threats.

But even as they plan to make deploy more security-related technology and services, they will also need to figure out ways to compensate for the shortage of trained cyber security personnel.

“There’s a serious increase in cyber security as a priority because of the amount and severity of the breaches we are seeing,” said Jamie Barclay, senior manager, corporate responsibility at Symantec. “Companies are struggling with getting and deploying the right technology, but they are also grappling with where to find the right talent.”

The numbers underscore the depth of the talent shortage. Demand for security experts growing three times faster than other IT jobs. At the same time, Cyber Security Ventures estimates there were 1 million security-related job openings last year, while the Enterprise Strategy Group found 46% of organizations reporting the scramble to find people with sufficient cyber security skills as an ongoing challenge

Alternative Measures

But organizations can still compensate for the limited talent pool. There are a number of alternative options to bolster cyber security competencies, including outsourcing the function to managed services providers, retraining in-house IT professionals, and drawing candidates from non-traditional areas. In a survey conducted by CIO, CSO, and Computerworld last year, 56% of responding organizations said they were enlisting outside consultants to help with information security strategy, with 40% turning to managed security service providers (MSSPs) to offload security functions almost completely.

Hiring external consultants or outsourcing some security functions is one way to get the job done, according to Richard Borden, vice president of IT for Blackhawk Community Credit Union, which is doing just that as part of a hybrid approach to security. BCCU uses outside partners to handle some IT security audit and remediation tasks, but is also re-skilling an internal staff member to help digest threat intelligence data, SIEM outputs, and third-party testing reports.

“The challenge is to balance the outsourcing of projects versus security remediation across internal and external resources on a case-by-case basis, depending on what resource is best suited to handle the task or project,” he explained.

However, it’s not always easy to retain workers to pick up security functions, according to Borden. He cautioned that not all skills can be taught equally well to all personalities and aptitudes.

“Just because you're a technical IT professional such as a network administrator, systems analyst, or developer, that doesn't mean you're a security expert,” agreed Kevin Beaver, founder and principal information security consultant at Principle Logic LLC. “It can happen as you build on these skills on your way to mastering security, but it's going to take a few years.”

To that point, Beaver says there are no certifications, degrees, webinars, or conferences that are going to transform traditional IT professionals into legitimate security experts overnight. 

For companies willing and able to play the long game, one way to cultivate much-needed security talent is to draw from non-traditional pools—for example, the veteran community or local and two-year colleges that don’t necessarily have cyber security degree programs. Symantec’s Cyber Career Connection (C3), a collaboration with educational development non-profit partners such as NPower and Year Up, is focused on creating a pathway for individuals in those communities to prime the cyber security workforce pipeline.

C3 offers training and mentoring designed to raise awareness of cyber security career opportunities while developing a curriculum highly focused on specialized cyber security principles, software, methods, and tools. At the same time, the C3 initiative seeks to create more diversity in the cyber security workforce; thus far, 63% of C3 participants have been people of color while 25% have been female.

“We saw an opportunity to address the skills gap,” Barclay said. “We need to help organizations think differently about the types of people that can do these jobs. We are showing them they can spread a wider net and bring a more diverse population to the table.”