Blog

People and technology: a two-pronged approach to closing the skills gap

Mar 02, 2018

Wes Simpson - square By Wesley Simpson, COO, (ISC)²

Some have called the skills gap in IT and cybersecurity a national security crisis. Yet, it’s one that most everyone in the industry doesn’t know how to solve. Many look to automation and other technologies as a solution to the problem. Others foster relationships that will fill the pipeline and attract new talent. But there is no ONE solution. Instead, organizations need to both build and buy the talent they need.

The growing gap between skills needed and qualified candidates is not a problem that technology alone can solve, but it is one that is made more complex by burnout and attrition. Companies need to be thinking about the strategies they can put in place to ensure that there won’t be gaps in their security when their key players move on, but technology strategies won’t eliminate the risk of brain drain.

The solution is a two-pronged approach that requires first understanding where your security gaps are and determining the tools your business needs, and then building your security team around the technology. If you don’t know what you are protecting and what your business-specific risks are, you can’t build the agile security team you need to defend the organization against cyber threats.

CIO predicts Fortune 500 and 1000 companies will spend almost one-quarter of their entire IT budget on security in 2018. When security budgets increase, many companies look to add new technologies to their security ecosystem. With an ever-expanding market of technologies promising to deliver the best solutions, it’s important to first understand which security tools are best for the organization. Building security systemically starts with understanding the right risk posture of the business rather than building the technology around the team.

The team is as important as the technology, though. Mitigating security risks requires the right combination of people, processes, and technology. Chief strategy officer at Flashpoint and CEO for NinjaJobs, Chris Camacho said that finding talent is hard which is why part of a good security strategy is to ensure that you always invest in your people by training them, so that they understand the business and can thereby be collaborative. 

“By letting your security staff engage with other business units,” Camacho said, “they will feel appreciated, feel more engaged and feel more invested in the overall company, and more likely to think twice before considering other opportunities.”

In addition, organizations need to rely on key vendors who support business risk intelligence for staff augmentation so that if folks leave there is minimal impact to the business. “Always having visibility to threats from the internet and risks to the business is critical to maintain a successful infosec program,” Camacho said. 

But growing your security team for the future means investing in people today. Yes, part of that investment is training the staff you have, but it also means building relationships with the next generation of industry leaders. “Find recent college graduates or previously hired interns,” said Camacho. Expose your new hires to various infosec disciplines and make them generalists that can support multiple disciplines. “Always have an additional person learning new technical skills with the expectation that once a year you will lose one person from your team,” Camacho added. 

The potential consequences of the talent shortage and attrition have never been greater, so how do you stop security practitioners from walking out the door? First, you need to understand why they are leaving. One of the top three reasons security practitioners choose to move on is that they see no clear path for growth in their careers, according to chief social scientist at Endgame, Andrea Little Limbago.

Endgame’s research from the field found that in addition to the ill-defined career path, burnout, and industrial change were the top reasons survey participants wanted to leave their jobs. The stress-inducing nature of the fast-paced, never ending challenges of security take a toll on practitioners.

The rapid turnover rate increases risks, and Evee Security Consulting Group CEO, Gary Evee said, “I would submit there is no greater threat, which can potentially impact an enterprise’s welfare, or hinder their ability to successfully thrive and compete in the marketplace, outside of cybersecurity.”

That’s why today’s cyber security threats cannot be solved through technology alone. “Part of the solution to addressing today’s cybersecurity skills gap requires enterprises, government and academia to collaborate to increase the pool of talented cyber security professionals,” Evee said.