• United States




Dealing with a shortage of information security and IT skill sets

Nov 07, 20173 mins
Data and Information SecurityIT SkillsStaff Management

There is no question that there is a shortage of data security, information security, and cybersecurity skill sets across the globe.

After talking about the CISOs role in mergers and acquisitions, it’s time we examine the shortage mentioned above, offer short and long-term solutions, and give guidance on how Chief Information Security Officers (CISOs) can be proactive and provide leadership to mitigate the issue.

A recent report by Cybersecurity Ventures predicted that the existing cybersecurity workforce gap will increase to 1.5 million job openings by 2019. Some experts predict there will be a global shortage of two million cybersecurity professionals by 2019. Whether it is 1.5 million (July 2016) or two million (March 2017), there is a huge gap in cybersecurity skill sets that is affecting every vertical market. While no one CISO can win this battle, with our combined skills we can collectively mitigate the risk to an acceptable level. 

As we examine the problem set, there are a few short-term solutions that we can apply to business.

1. Cybersecurity skills gap doesn’t have to be an enterprise operational gap

Identify security commodity areas (i.e., Log Management and Analysis) within your business that are more routine in nature, where process and procedures could be replaced by third-party suppliers. Many resource-constrained organizations are addressing the shortage challenge by adopting managed security services. In fact, almost two-thirds (62%) of Global State of Information Security® Survey 2017 respondents say they use security service providers to operate and enhance their cybersecurity programs.

Your security team can partner with trusted vendors for managed services or subscribe to service plans where outside experts can act as an extension of your cybersecurity team. A trusted security service provider can train current employees, operate a cybersecurity program, and help to establish enterprise awareness programs, as cybersecurity is a shared responsibility across different functions.

2. Educate current employees as to how human error plays a large role in security breaches….

…and teach them correct cyber hygiene – from not opening phishing emails, to not downloading software without permission, to creating strong passwords and changing them regularly.

3. Long term, it’s critical for CISOs to employ proactive approaches, such as building your own cybersecurity workforce

Consider working with local technical colleges and community colleges in your geographic area to find students who have cybersecurity skill sets, or who are looking for a career in cybersecurity.

Consider offering scholarship programs within your enterprise to bring resources to your company and to grow your own talent pool. In addition, think about employing veterans who have skills that may be equivalent to cybersecurity skills, and bring those trained veterans into your workforce. 

4. Look to outside organizations that are trying to recruit more professionals into the cybersecurity field

Such as the Cybersecurity Workforce Alliance (CWA), which was set up by the financial industry, based around New York, to close the skills gap.

Planning, collaboration, and a proactive approach that involves all enterprise entities should be involved in your strategy to secure your enterprise and mitigate the cybersecurity shortage issue.


John Petrie is Chief Information Security Officer of NTT Security, responsible for information security strategy and security program management. Prior to NTT Security, Jon held senior information security and consulting roles at IBM, Harland Clarke Holdings Corp, and the University of Texas Health Science Center, San Antonio.

A graduate of the Defense Intelligence College, he maintains ties to the intelligence community as a charter member of the Marine Corps Intelligence Association.

The opinions expressed in this blog are those of John Petrie and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author