• United States




The most critical gap in cybersecurity today: Talent

Aug 03, 20165 mins
CareersIT LeadershipTechnology Industry

CISO shares how other industry leaders can help close the talent gap.

microphone stage stool
Credit: Thinkstock

You only have to look at recent headlines to confirm that cybersecurity is a critical concern that touches every industry and every individual, and threats are only continuing to increase.

Yet in a recent study conducted by ISACA and RSA, 52 percent of global cybersecurity and IT managers and practitioners said “that less than a quarter of applicants for cybersecurity positions have the necessary skills for the open position. As a result, 53 percent said it can take three to six months just to find a qualified candidate.” Then it takes another three to get them on board. This is a pressing issue within this field of work that needs to be addressed. So how did this shortage or “talent gap” happen in the first place?

When the information security industry first began to be a focus area, three decades ago (when I entered the IT/Security world!), enterprises did not anticipate the incredible advancements in technology, the rapid increase in advanced cyber attacks and the constant need to protect sensitive data. The major advancements of technology alone ­ from mobile applications to cloud to the internet of things ­ has shined a spotlight on both the security vulnerabilities these technologies present, and the lack of cybersecurity professionals who know how to fix them.

[ ALSO ON CSO: CSO burnout biggest factor in infosec talent shortage ]

But instead of making a concerted effort to attract and retain cyber talent, many organizations took an alternative route of outsourcing their security teams. As breaches continue to increase in both frequency and sophistication, enterprises have had to make a switch to hiring an internal team of dedicated info security professionals, which are tough to find and hard to keep. This shift in approach towards internal enterprise security created an immediate need to seek out and train qualified security professionals. Over the years, this need for qualified and skilled security professionals has grown faster than the workforce available to fill the jobs, leading to this major gap.

Despite the growing breadth/depth of security threats in the everyday organization, it is typical to find an unstructured security team that is not providing professional growth or continued education opportunities. Furthermore, the few professionals who are qualified are spread too thin and tend to burn out quickly. This has also had a profound impact on the security industry, which is now seeing 1 million unfilled cybersecurity jobs in 2016 alone, and that number is expected to increase to 6 million global job openings by 2019.

While the task of closing this gap seems daunting, it is important for enterprises to shift their focus to their internal teams to cultivate the talent that already exists within their organizations, even if it’s minimal to start. They need to provide an environment that encourages career growth and constant training to ensure security professionals are armed with the knowledge and skills to defend their organizations. If this becomes the practiced behavior, it is my belief that the skills gap will start to close.

To do this you must understand what skills you already have and then determine what you need within your security team when hiring. There is a range of talent that is required to keep an enterprise secure so you must know your must haves when doing so. In addition, it’s important to understand the soft-skills needed which include creative problem-solving, the ability to foster collaboration and a drive to challenge conventional thinking to stay ahead of hackers. It is no longer easy to find that 100-percent candidate or even the 80/20 rule doesn’t work any more! You have to accept, at times, you may have to hire the must have(s) and train the rest – maybe a 50/50 rule?

Only once you get a good understanding of what you need, you need to make sure you are finding the right people and making a concerted effort to retain the talent within your organization. Though this is a long-­term process, which requires continued effort, below are some quick tips to point you in the right direction:

1. Working with elementary/high school/colleges/universities

Cultivating talent early on is the most effective strategy to address the growing talent shortage. Work with schools/students to provide insight into the cybersecurity industry by supporting training and education initiatives that will arm young professionals with the skillsets necessary for success. This includes adding internships to your hiring practices!

2. Fostering an environment of continuous cyber education

Since threats are constantly evolving and technology is advancing more rapidly than ever, continued education is necessary to keep skills sharp. It’s essential that organizations provide in-­house and ongoing security trainings and certification courses that will give security professionals a leg up on hackers for everyone enterprise wide.

3. Offering security teams meaningful employment

Retain the talent within your organization by ensuring that employees feel their employment is meaningful. By offering opportunities for professional guidance and mentorship, you’ll create a supportive environment, leading to higher employee satisfaction and reduced turnover rates. Give them the opportunity to learn and empower them to be the best that they can be.

If we want to address the cyber talent shortage, we need to tackle the issue head on. By making a concerted effort to cultivate talent, encourage continued education and create a supportive workplace environment, we can strengthen the security industry and help build the workforce to thwart cyber attackers.

I love what I do, do you?


As CIO and chief information security officer at Venafi, Tammy Moskites helps CIOs and CISOs fortify their strategies to defend against increasingly complex and damaging cyberattacks on the trust established by cryptographic keys and digital certificates. Tammy draws on her professional experience, leadership capabilities and domain expertise as a CISO at Global 250 companies to help fellow CISOs defend their organizations. There is often a gap that cybersecurity teams miss in securing keys and certificates that leaves the door open for cybercriminals. Tammy’s leadership and experience will help other CISOs close those doors.

Prior to joining Venafi, Tammy served as CISO at Time Warner Cable, where one of her many responsibilities was to re-engineer and centralize the information security and IT compliance organizations to support global operations. Tammy also held the CISO position at The Home Depot, where she provided strategic executive and collaborative business direction for several teams, including identity and access management, IT compliance and regulatory, e-discovery and forensics, encryption and more. Tammy's other relevant security experience includes stints at Huntington National Bank, Complete Information Technologies LLC, BankOne, Nationwide and Aetna.

Tammy is also a leader in several important IT security organizations, including ISSA, ISACA, InfraGard and the Information Risk Security Board. In 2013, she was recognized as one of the Top Women in Technology by CableFax magazine and as one of the 25 finalists for the Evanta Top 10 Breakaway Leader Awards. In 2010, she was the winner of the Information Security Executive North America People’s Choice award. Tammy is a member of the advisory boards of Box and Qualys, and she provides strategic guidance to other industry-leading security vendors.

The opinions expressed in this blog are those of Tammy Moskites and do not necessarily represent those of IDG Communications Inc., or its parent, subsidiary or affiliated companies.