IT attrition could help address the cybersecurity skills shortage

Infrastructure specialists with strong IT skills should be welcomed into the cybersecurity professional community

When it comes to the cybersecurity skills shortage, ESG research reveals the following:

  • Forty-six percent of organizations claim that they have a “problematic shortage” of cybersecurity skills. This represents an increase of 18 percent compared to 2015. 
  • A vast majority (87 percent) admit that it is “very difficult,” “difficult,” or “somewhat difficult” to recruit and hire cybersecurity professionals.

Yup, there is a definite shortage of cybersecurity professionals available, so recruiters are tripping over each other as they try to poach talent from their existing employers.  According to a recently published report by ESG and the Information Systems Security Association (ISSA), 46 percent of cybersecurity professionals are solicited to consider other cybersecurity jobs by various types of recruiters at least once per week! This situation has led to salary inflation and massive disruption. 

It’s certainly true that if you need a highly experienced cybersecurity professional, you have no choice but to pull someone away from their current job, but this is a zero-sum game from a total employment perspective. 

So, what else can we do? Well, there’s another disruptive force happening within IT called cloud computing. Simply stated, as organizations move workloads to public cloud providers such as Amazon Web Services, IBM SoftLayer and Microsoft Azure, they no longer need as many infrastructure administrators to babysit Intel servers, storage arrays or data center switches. 

As it turns out, these uprooted IT folks are a natural fit for cybersecurity jobs.  According to the ESG/ISSA research, more than three-quarters (78 percent) of cybersecurity professionals moved from IT jobs to cybersecurity jobs as part of their career progression. ESG/ISSA asked those who transitioned to cybersecurity what they learned as IT professionals that helped them with infosec. The responses were as follows:

  • 46 percent said gaining experience with different types of technologies
  • 44 percent said IT operations knowledge and skills
  • 42 percent said networking knowledge and skills
  • 28 percent said collaboration between IT and business units on business initiatives, processes and strategic planning
  • 26 percent said an understanding of how IT organizations work

So, while the cybersecurity skills shortage will continue for the foreseeable future, there is also a pool of IT talent out there that will become available over the next few years as an increasing percentage of enterprise workloads migrate to public cloud infrastructure. Yes, these folks will need specific cybersecurity training, the but ESG/ISSA research indicates that this group brings many of the business, organizational and technical skills needed as a foundation for cybersecurity professionals.

Rather than rob Peter to pay Paul, smart CISOs (and cybersecurity product and services vendors) will invest in training and mentoring programs and recruit heavily from this growing population of IT professional outcasts. In my humble opinion, this is a sounder strategy than continually horse trading cybersecurity talent. 

Copyright © 2016 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline