Posted: 4 Min ReadFeature Stories

How Companies Compensate for the Security-Worker Shortfall

Organizations are turning to alternatives, ranging from training initiatives to employing fractional CISOs

When Adam Sypniewski needed to find someone to take the role of creating and managing the security and compliance program for speech-recognition startup Deepgram, he decided not to attempt to hire for the role.

With cyber security professionals in high demand—analysts estimate a worldwide shortage of about 2 million knowledgeable workers—he knew it would be expensive to bring in someone with the necessary skills. Instead, Sypniewski, the chief technology officer at Deepgram, contracted a fractional chief information security officer (CISO), a person who splits their time between companies, creating security programs, managing compliance, and helping to advise a firm’s other workers.

"My problem as CTO of DeepGram is not whether I can do it—I know how to do it, I know the resources I need, and I know how to direct my engineer to do it—but … the risk is that you don't have someone watching with two eyes all the time,"  Sypniewski said. "Other workers—namely myself—I can get distracted. I have to wear a lot of hats. So, when security is only one of them, and when I'm not wearing the security hat, it is hard to remember to do it all."

The booming demand for cyber security professionals is driving companies to be more creative in how they secure their systems.

Organizations continue to struggle staffing their security teams. A recent survey of 1,125 IT decision makers found that while 64 percent of companies identify a greater number of threats to their business, half of the firms lack the security talent to maintain the measures that they deemed necessary to protect their business. The result is that current cyber security personnel are overworked, with 72 percent of workers considering quitting because they lacked the resources to do their job.

The booming demand for cyber security professionals is driving companies to be more creative in how they secure their systems.

Each year, Enterprise Strategy Group asks companies if the shortage of cyber security workers is a problem for their business. The number reporting a problematic shortage has climbed every year, from 42 percent in 2016 to 53 percent in 2019, according to the analyst firm.

"No one has ever sounded the alarm that this is an emergency," Jon Oltsik, senior principal analyst at the Enterprise Strategy Group. "The government needs to come in with more grants and training programs. A lot of that is happening, but it is happening in pockets. We need more of a national effort.

Like Deepgram, many companies are adding a virtual CISO. Fractional CISOs are just one way that companies are dealing with the booming demand for cyber security professionals. About 10 percent of organizations employ a fractional or virtual CISO, a role that 29 percent of CISOs have adopted and that another half are considering, according to the Information System Security Association (ISSA).

"Almost half claim that working as a vCISO brings more variety and flexibility to a CISO position," the group stated. "CISOs are clearly seeking to avoid some of the politics and stress while taking more control of their careers."

A Long Road

While training more employees in cyber security is necessary, education will not solve the problem in the next decade. Nearly 8 in ten companies have trouble finding employees and outside hires that are willing to be trained in cyber security, according to ESG's Oltsik.

"There is the salary inflation—you have to increase your budgets for any kind of hire," he said. "It has increased with workload on the existing staff, and they have had to hire junior people and train them, instead of going out and finding senior people."

Yet, training does remain the most viable long-term solution. Companies should focus on having a good pipeline for training cyber security workers and an attractive career path, once they are hired, according to T. Frank Downs, director of the cyber security practice for ISACA, formerly the Information Systems Audit and Control Association.

"We need to get more people into the cyber security programs, but at the same time, the need is growing—it makes the game of catchup even harder," he said.

Part of that is advertising the opportunities, he said. Many millennials and high-school students do not know about cyber security—only about 10 percent consider it a career option, he said. Downs, who also teaches a graduate cyber security class at the University of Maryland Baltimore County, has found that, if the word gets out, companies can attract promising student from non-traditional professions.

"The best students are some of those transitioning from the weirdest places," he said. "Last year, my best student was a middle school English teacher for 11 years, until she said, `No, I'm going to do cyber.’"

Rush to Managed Services

While finding independent contractors and hiring fractional CISOs can bridge the gap between the need for security expertise and being able to hire or train workers to fill that need, many companies have instead outsourced their security to managed security service providers (MSSPs).

"When there is a lack of general bodies, people are going to go the MSSP route for basic functionality," said Ken Baylor, founder of Stealthworker, a company that focuses on providing fractional CISOs. "But that will not solve many of the specialized problems that you need a CISO for."

The biggest drawback of a managed service providers is the cost, however.

"MSSPs are expensive," Deepgram's Sypniewski said. "We are a Y Combinator startup company. We were founded in 2015, so we are a pretty small company." Contracting with a managed security service provider would have been too costly, he said.

Yet, the relative inflexibility and the one-size-fits-all approach of many MSSPs is also a major downside, he said.

"We are a heavy R&D company, and the nature of what we are building and how we deploy it and the pieces that we need to put it together—that changes a lot depending on the product we are building that month and the customers," Sypniewski  said. "It would be a pain point to have to work with a managed security company."

The biggest drawback of a managed service providers is the cost, however.

Whether hiring and training, using independent contractors or full-on managed service providers, companies are finding ways to bridge the gap in availability of cyber security experts. Companies that have seemingly solved the issue, however, still need to plan for the future in case their coveted cyber security professionals decide to take their talents elsewhere.  

"All these companies are fighting over the same people, and it's getting gnarly," ISACA Downs said. "Don't assume that once someone is hired, they are not going to leave. If you use a person as a part, you shouldn't wonder why they leave when another company comes and offers them more money."

You might also enjoy
Expert Perspectives4 Min Read

Finding Talent That Fits

Looking beyond the CV for your best hires

You might also enjoy
Video
Corporate Responsibility3 Min Read

What Will a Cyber Security Job Look Like in 3 Years?

3 ways Year Up is using Symantec’s new grant

About the Author

Robert Lemos

Journalist

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for two decades. He has covered cybercrime and security technology for almost two dozen publications.