Are we asking the right questions when it comes to the infosec skills shortage?
Chatting with a colleague recently about local economic issues, she made a remark which I found profoundly interesting at the time.
She said that the reason why economic policies are sometimes ineffective is because policymakers are failing to identify their root causes. “We cannot get the right answers if we are not asking the right questions,” she summarized.
I recalled that remark as I reflected on the widely reported shortage across multiple industries of people with the needed information security skills, a recurring challenge showing no signs of abating.
The Scale of the Problem
Security risks continue to gain board-level attention in many industries. After all, high-profile and publicly acknowledged breaches have a strange way of focusing the minds of senior executives on addressing security gaps.
However, the perennial skills shortage of technically proficient professionals means that organizations are finding it difficult to address security threats to their organizations at the same pace at which they occur.
A recent EY survey predicts a global shortfall of about 1.8 million security professionals within five years. That same study notes that 56 percent of respondents acknowledge currently having skills shortages. A separate study suggests that on average, it is taking enterprises longer to find and hire qualified professionals – sometimes taking up to six months before open cybersecurity positions are filled.
With digital transformation firmly on the agenda for many organizations and cyber-attacks on the rise, business leaders appear set to continue to struggle to resource strategic business initiatives with the appropriate security skills.
Asking the Right Questions
With reports that the global skills shortage appears to be getting worse, existing approaches to finding and hiring are worth challenging. Below, I list five questions that attempt to look at this problem from different perspectives.
#1: Are Hiring Managers Getting the Right Support?
I recall being presented with many dysfunctional job descriptions over the years when I have been a candidate for various positions. I have, for example, seen security analyst roles being erroneously presented as governance and compliance roles and SOC job descriptions requesting qualifications that appear unrealistic for the level of experience demanded. While it is true that every organization has different requirements, I can’t help but think that hiring managers are being let down by their recruitment service providers.
Job analysis – reviewing the qualifications and requirements of a particular position – prior to engaging in recruitment and selection is such an important first step for tackling false assumptions about a role.
The more accurate the job description, the more effective the interview questions and screening tools could be. The job analysis should cover everything from technical to soft skills and other details such as work location, remuneration and key performance indicators.
By challenging the way they develop job requirements, organizations could increase their chances of attracting and retaining the right talent.
#2: Are Security Roles Attractive to More Women?
The tech workforce gender disparity and discrimination against minorities in the industry remain hot topics of discussion at many industry conferences. Specifically, women remain globally underrepresented in the security industry.
It would be premature for an organization to conclude that merely having a diversity program is sufficient for addressing gender imbalance and the marginalization of minorities in the workplace.
Rather than using them merely to satisfy corporate KPIs, organizations need to challenge their goals and objectives for such programs in the first place. Are existing initiatives designed to create a more inclusive workplace, provide mentorship opportunities and address inequalities in pay and career progression for women? Problem areas such as hiring to fill technology and information security roles deserve special attention.
#3: Are Recruiters Trying Non-Traditional Approaches?
Specialist information security degrees and partnerships between higher education institutions and professional certification organizations such as ISACA and (ISC)2 have offered paths into the industry for individuals coming from academia. However, those individuals typically come from science, technology, engineering and math (STEM) backgrounds, where the body of knowledge tends to align closely with the capabilities required to operate in technical security roles.
Challenging the way recruiters traditionally search for security talent could open up vacant roles to a wider pool of candidates. Mentoring, capture-the-flag competitions, hackathons, and bug bounty programs are some examples of alternative ways to find security talent.
These non-traditional methods could improve the way hiring organizations spot traits such as natural curiosity, risk aptitude, analytical thinking and detailed reporting, all of which are foundational attributes required to operate in many domains within information security.
#4: Are Organizations Sufficiently Incentivizing Existing Talent?
With some exceptions, most professionals are already thinking about their next career move. Finding security talent is one thing. Retaining existing talent is quite another.
Why do good people leave? Career stagnation is often cited by security professionals as one reason for changing jobs. Therefore, it is worth paying attention to the root causes of staff attrition.
Prioritizing funding for security program areas is a constant challenge for many CISOs. This unfortunately often results in security education, training and personal development falling lower in the pecking order when faced with competing priorities. Ring-fencing budget allocation for research, training and development demonstrates leadership’s commitment to attracting and retaining the best talent.
Additionally, infosec leaders and human resources could come up with innovative ways to identify existing talent within their organizations that might sit outside the core security function.
Existing employees who demonstrate sufficient interest and technical ability could become internal hires, saving the business time and money spent on external recruitment while preserving much-needed institutional knowledge.
#5: Could Increased Automation Help?
Perhaps the answer to offsetting skills shortages is to reduce the dependency on humans altogether.
Indeed, many organizations already are exploring robotic process automation to streamline and standardize repetitive processes. This trend is set to continue, especially in the area of DevSecOps.
The desired state for many CISOs would be to free up skilled professionals to be more creative and innovative, and to focus on the optimization of the security function.
Getting the Right Answers
In May 2019, the UK government put out a call for views on a National Cyber Security Strategy.
The call for views recognized that “cybersecurity is central not only to our national security but also fundamental to becoming the world’s best digital economy.” Consultations are ongoing and a final strategy document is expected to be published by the end of 2019.
Some of the questions I put forward in this article have been included in an Initial National Cyber Security Skills Strategy. Asking the right questions should hopefully lead to getting the right answers for remediating the infosec skills gap problem.
Addressing this skills shortage requires fresh thinking and stronger collaboration between government, industry and public/private partnerships.
(This post originally appeared on the ISACA blog, which can be viewed here).