In our last blog post, we discussed the need for information security professionals to find their business voice. At the same time, security and risk management are driving the growing need for information security professionals. This leads to the second major trend facing the industry, which is the demand for skilled personnel. One CISO I know quotes unemployment in Information Security at less than 0.5%; essentially anyone in information security who wants to work is working. And there are plenty of jobs out there, some with very specific, narrow and technical skills. Others are jobs requiring risk management, strategy, and architecture skills. The ISC2 Global Workforce Study which was shared during the 2013 RSA Security Conference highlighted the continuing need for these professionals. Informally I’ve talked with several CISOs whose major security concern is hiring and retaining security staff. Other organizations have shown vacancies for teams of five or more at one time. Often they are looking to establish a new team or capability that’s already in demand.
Because there aren’t enough people to keep up with growing demand, companies need to embrace security outsourcing now more than ever before.. And all organizations need to look for force multipliers through automation and secure system design to limit the need for people. At a recent dinner with several professionals we noted that companies need to start seriously looking at outsourcing. As tweeted by Josh Corman, you need to outsource what anyone can do and insource what only you can do. This means focusing on the information security and risk management needs that tie to unique aspects of your company’s business models and processes. No outsourcer can learn those as well as an insider. At the same time, any outsourcer can establish a firewall and manage the rules according to a set of policies. CISO’s and their teams need to become much more comfortable outsourcing services to managed security services providers.
Todd Inskeep is a Senior Associate at Booz Allen Hamilton. He leads Cyber Security Assessments at client companies measuring, managing investment, and enabling improved Cyber security programs. Todd has served on the RSA Conference Program Committee since 2002.