The supply vs. demand of qualified cybersecurity professionals already represents a gap, one that is expected to worsen. \u00a0Consider:In 2017, the number of U.S. cybersecurity job openings was up from 209,000 in 2015. At that time, job postings were already up 74 percent over the previous five years, according to a Peninsula Press analysis of numbers from the Bureau of Labor Statistics.As of October 2019, there are 715,715 employed cybersecurity workers in the US and 313,735 open positions, according to CyberSeek, a project supported by the National Initiative for Cybersecurity Education, itself a program of the National Institute of Standards and Technology (NIST) - U.S. Department of Commerce.Industry reports predict a much wider (though less precise) gap globally. The 2017 ISC2 Global Information Security Workforce Study predicts a global 1.8M shortfall by 2022.It is all-but-certain that demand for security professionals will continue to outstrip supply for the foreseeable future, and organizations should expect vacancy rates and turnover to rise. \u00a0As the gap widens over the next few years, every organization should expect the remaining resource pool to include more applicants with less experience, fewer skills, or both.In such a future, organizations will require differentiating (stand-out) recruiting and retention incentives in order to achieve better than average results. \u00a0But even that likely won\u2019t be enough; as aggressive recruiting more becomes common, it will become the new normal.With the above trends in mind, additional resources should not be the long-term solution to any future security challenge. \u00a0No critical process should depend on resources that are growing harder to come by. \u00a0Resiliency plans should accommodate higher levels of both vacancy and turnover, lower staffing levels, and (at least occasionally) incomplete organizational models.\u00a0 Succession planning is a must for continuity of critical positions, not just leaders.3 strategic response considerationsIn a single word: adapt.1. Plan for a future state of limited resourcesThe future staffing model will almost certainly embrace a diversity of skill sets, from the traditionally senior to those with less experience, and those with little or none. Given this, organizations should expect to invest more in training and work to create a culture of retention.Apart from the direct effect on turnover, retention measures can be an attractive aspect of a recruiting strategy and shouldn\u2019t be reserved for when a key resource gives notice. \u00a0Creating a retention culture starts with getting to know your employees and understanding their ambitions. \u00a0Make certain each employee has a development plan and a career path. \u00a0Promote aggressively from within (as a matter of policy) and foster a sense of appreciation by celebrating the milestones you wish to reinforce (e.g., promotions, taking on new responsibilities, education, and certifications).Planning for limited resources also means remaining vigilant against any waste of time or effort.\u00a0 Crystal clear prioritization should be every security organization\u2019s watchwords going forward and, in future, tough choices may very well be required.\u00a0 Consider the organization\u2019s tasks with care: dedicate resources to truly critical work, defer the less important, and abandon the unimportant as an unaffordable luxury. At the same time, embrace time-saving measures and efficiencies wherever possible, particularly automation.2. Develop skills to support automationIn addition to the human resource shortage, the security function will also need to contend with the explosion of data and the growing complexity of the environments they protect. To meet these challenges, the future state may require an even greater dependence on technology.\u00a0 Organizations should look beyond traditional risk management skills and recruit, retain, or develop skills sets against their future needs, including data science, network design, and programming \u2014 skills that will enable and support greater automation.In the near-term any repetitive work should be considered as a good candidate for automation. \u00a0In the longer term, think towards a future where tasks are automated for no other reason than they can be.3. Plan to partnerOrganizations need to be honest and critical of their own capabilities \u2014 both about what they can do and what they can\u2019t. Clear prioritization will help (to a point) but it can only go so far in compensating for real deficits.\u00a0 Organizations should plan to partner with external organizations that are in a position to help.Opportunities are many and this is an area where initiative and creativity could be rewarded.\u00a0 Local universities, professional organizations, and information sharing groups are all legitimate avenues of exploration.\u00a0 Even competitors are fair game in times of crises provided competition is not compromised (in areas like incident response, for example).Organizations may choose to outsource certain tasks, relying on managed security service providers or other third parties.\u00a0 That means excelling at managing third parties and planning for uneven results from those partners during the initial adoption phase.3 tactical response considerations1. Get closer to the applicant pool and get there earlierHuman resources departments should be targeting universities with information assurance (security), data science, computer science or STEM programs, etc. If they aren\u2019t, reach out to the universities yourself and volunteer your services.\u00a0 This, too, is an area where creativity and imagination can pay dividends.\u00a0 Some courses host occasional guest speakers, particularly subject matter experts in the workplace. \u00a0Some professors pride themselves on steering their best and brightest towards post-graduation employment.\u00a0 Career centers are always looking for intern opportunities for their students.\u00a0 Could you use a little help in the summer months?\u00a0 Do whatever it takes to get a first look at the next cohort of graduates, cultivate their interest, and sign up those you\u2019re interested in before they ever hit the job market.Much the same can be said of professional organizations.\u00a0 Information security has several, and some of your staff are likely already members.\u00a0 Encourage activity in the local chapters and make a point of hosting chapter meetings.\u00a0 If you can, host meetings given over to outreach, training, or guest speakers (meetings with a special draw or high attendance).2. Address training aggressively.Focus training efforts on skills, domain expertise, and institutional knowledge \u2014 employees need a combination of all three to be successful.Skills. \u00a0Train for both the skills your organization needs now (e.g., risk management, engineering, operations, communications, infrastructure, and software security) and those it will need in a resource constrained future (e.g., data science, analytics, network design, and coding).Domain expertise. \u00a0Certification encourages a broad study of information security and provides its own form of validation.\u00a0 Point your newest hires towards professional certification early and encourage those with the requisite years of experience to sit the exam.\u00a0 Set aside time for tutorials and sponsor formal study groups; make support for certification part of your organization\u2019s DNA.\u00a0 Consider subsidizing professional certification financially to the degree your means allow.Institutional knowledge. \u00a0Create a \u2018fact book\u2019 for your organization, similar to this one: https:\/\/www.cia.gov\/library\/publications\/the-world-factbook\/.\u00a0 Breadth and scope are very much up to the organization\u2019s individual needs, but at a minimum it should include an up-to-date list of every application supported by security and IT and every third party with whom confidential data is shared.\u00a0 Once created, assign ownership to the appropriate resource (threat intelligence or incident response), but the entire team should share responsibility for maintaining the content, new hires (who will gain the most from the exercise) particularly so.Explore cross-training within security and avoid potential single points of failure, particularly with important skills or mission-critical responsibilities.\u00a0 If you can arrange to cross train with other external groups, start with those that represent a source of potential recruits: IT, risk, project management, and audit, etc.3. Do more with less-skilled staffThe security team of the future is likely to be a little younger, a little newer to the field, and a little less experienced. As professionals and managers, our challenge will be finding ways to make that work.Conventional thinking, in some organizations, is that junior resources execute a process, mid-level resources analyze, while senior resources are given over to engineering, design and architecture.\u00a0 We can no longer afford to waste even entry-level resources in this way.\u00a0In the future, those processes undertaken by junior staff should probably be candidates for automation and a new approach for preparing entry-level and junior staff for senior roles will be needed. \u00a0Consider embedding junior resources with the analysts, designers, engineers and architects immediately. \u00a0Self-organizing and cross-functional teams are used to great effect in software development, and security can leverage an approach where junior members contribute side-by-side with, and guided by, more senior team members.Leadership neededMake no mistake, adapting to security\u2019s future means more than just working smarter, it requires real change.\u00a0 Leadership will be required more than ever \u2014 to provide vision, set goals, and foster a sense of purpose.\u00a0 Preparing your staff for the future means more than developing their skills, it also means developing their leadership.Comb your staff for anyone that shows even a spark of initiative, mentoring, or inspiring others.\u00a0 If you have the flexibility and the organizational support, consider guiding promising prospects to management, communication, and leadership development programs earlier.\u00a0 Take full advantage of whatever internal development resources your organization offers.If you are the CISO, don\u2019t be tempted to carry the burden alone.\u00a0 Delegate more to your managers and start training those future CISOs.\u00a0 If you\u2019re a manager, start identifying the next generation of managers.\u00a0 If you have ambitions of leadership or greater responsibility, speak up!