Strategic Approach Needed to Navigate Cyber Security Skills Shortage

Posted on by Christos Dimitriadis

The rapidly expanding cyber security threat landscape calls for more robust, more sophisticated security programs.

Improving security programs, though, requires the right personnel – a major obstacle given the state of the cyber security workforce. A fundamental disconnect exists between what employers expect and the caliber of cyber security candidates who are available for hire.

According to ISACA’s State of Cyber Security 2017 study, 37 percent of respondents say less than one in four applicants are qualified for jobs, and only 59 percent of organizations receive at least five applicants for open cyber security positions. That means many organizations are unlikely to receive more than one or two qualified applicants for positions – an unenviable scenario for hiring managers.

While there is no sugarcoating this skills shortage – especially given how essential cyber security is for today’s enterprises – there are important steps organizations can take to best position themselves to attract and retain skilled cyber security professionals.

Since finding fully qualified applicants is so difficult, enterprises must identify a training framework that can fill in gaps and refresh skills to keep pace with the fast-evolving threat landscape. An increased emphasis on and investment in training and professional development is a must. Prioritizing performance-based certification is especially important in cyber security, where technical skills are not adequately developed through textbook-driven, theoretical training. The State of Cyber Security study shows that hands-on experience is the most important qualification to more than half of employers.

Enterprises also should develop mentorship and apprenticeship programs to attract more people to the profession, and at an earlier age. Increased cooperation between universities and both the public and private sectors in developing these programs would go a long way toward raising cyber capabilities across all industries.

Grooming existing staff for cyber security positions is another worthwhile consideration. Application developers, data analysts and network specialists may have the aptitude and educational backgrounds to successfully transition to cyber security positions. Many employees with these tangential skills are aware that cyber security positions pay well and serve a critical purpose, so they tend to be receptive to making the transition.

Proactive efforts to bring more women into the field is another important component of bolstering the cyber security workforce. Women are vastly underrepresented in technology fields, including cyber security. While this is a longstanding problem, enterprises can make use of targeted mentoring programs and offer flexible work arrangements to incentivize more women to enter the field. Ensuring that men and women are paid equitably and provided the same opportunities for career advancement should be a given.

Once enterprises have effective cyber security personnel on board, their work is not done – they must work diligently to retain them. Considering how difficult they are to replace, letting skilled cyber professionals leave can be a major setback. While having a realistic sense of cyber professionals’ market value is a must, investment in professional development opportunities and job rotation to help round out skills and minimize frustration with repetitive tasks also can incentivize employees to stay for longer periods.

There are no quick fixes to these workforce challenges, but taking a strategic approach to hiring and retaining talent – while making the needed investments in training – can help enterprises be prepared for the inevitable cyber security challenges ahead.

Christos Dimitriadis

Chair of the BoD, ISACA

professional development & workforce

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community