Winning the war for cybersecurity talent

Security leaders say they expect demand for talent to outstrip supply for at least the next several years. Your task: develop staffing plans that recognize that reality.

Demand for talent  >  Two business people compete for a third in a tug of war
Z Wei / Ivanastar / Getty Images

The numbers aren’t encouraging for CISOs looking to hire security professionals: The U.S. cybersecurity labor market is short about 500,000 workers, according to a recent report from the nonprofit training group (ISC)².

Here’s more discouraging news: That same report, the 2019 (ISC)² Cybersecurity Workforce Study, estimated that the U.S. cybersecurity workforce must grow by 62% to meet the business demands for talent. Globally, the numbers are even more daunting. The group calculated that the global cybersecurity workforce needs to grow by 145% to eliminate the skills gap.

The numbers aren’t particularly surprising, according to leading security authorities who say the report quantifies their hiring experience.

“Yes, we do have a shortage in cyber, and it’s not going to be fixed any time soon. It’s not a field where you can become an expert overnight,” says Keith Palmgren, a senior instructor with the SANS Institute, a cybersecurity training organization, and author of SANS SEC301: Introduction to Cyber Security.

Although the significant lack of cybersecurity professionals creates challenges for CISOs, Palmgren, veteran CISOs and management leaders say the problem is exacerbated by the fact that many enterprise security teams don’t have a talent acquisition and retention strategy that’s aligned to business needs and market realities.

What’s the solution? These experts say CISOs should first concentrate on developing a strategy to more efficiently and effectively build the teams they need while also recognizing the limits of a tight labor market.

“Most organizations don’t have a workforce strategy when it comes to security. They don’t know what they want in terms of people, skills and talents six months to a year from today. They’re stuck hiring for positions they needed six to 12 months ago. And if you ask CISOs what they need in a year, they don’t know. That cycle will always keep them lagging behind,” says Sam Olyaei, a director at Gartner Research, where he is a part of the Risk and Security Management group.

To continue reading this article register now

The 10 most powerful cybersecurity companies