The security staffing problem isn't going away. Now what?

6 strategies and tactics to adjust to a future characterized by higher levels of both vacancy and turnover.

The supply vs. demand of qualified cybersecurity professionals already represents a gap, one that is expected to worsen.  Consider:

  • In 2017, the number of U.S. cybersecurity job openings was up from 209,000 in 2015. At that time, job postings were already up 74 percent over the previous five years, according to a Peninsula Press analysis of numbers from the Bureau of Labor Statistics.
  • As of October 2019, there are 715,715 employed cybersecurity workers in the US and 313,735 open positions, according to CyberSeek, a project supported by the National Initiative for Cybersecurity Education, itself a program of the National Institute of Standards and Technology (NIST) - U.S. Department of Commerce.
  • Industry reports predict a much wider (though less precise) gap globally. The 2017 ISC2 Global Information Security Workforce Study predicts a global 1.8M shortfall by 2022.

It is all-but-certain that demand for security professionals will continue to outstrip supply for the foreseeable future, and organizations should expect vacancy rates and turnover to rise.  As the gap widens over the next few years, every organization should expect the remaining resource pool to include more applicants with less experience, fewer skills, or both.

In such a future, organizations will require differentiating (stand-out) recruiting and retention incentives in order to achieve better than average results.  But even that likely won’t be enough; as aggressive recruiting more becomes common, it will become the new normal.

With the above trends in mind, additional resources should not be the long-term solution to any future security challenge.  No critical process should depend on resources that are growing harder to come by.  Resiliency plans should accommodate higher levels of both vacancy and turnover, lower staffing levels, and (at least occasionally) incomplete organizational models.  Succession planning is a must for continuity of critical positions, not just leaders.

3 strategic response considerations

To continue reading this article register now

Microsoft's very bad year for security: A timeline