The security staffing problem isn’t going away. Now what?

The supply vs. demand of qualified cybersecurity professionals already represents a gap, one that is expected to worsen.  Consider:

• In 2017, the number of U.S. cybersecurity job openings was up from 209,000 in 2015. At that time, job postings were already up 74 percent over the previous five years, according to a Peninsula Press analysis of numbers from the Bureau of Labor Statistics.
• As of October 2019, there are 715,715 employed cybersecurity workers in the US and 313,735 open positions, according to CyberSeek, a project supported by the National Initiative for Cybersecurity Education, itself a program of the National Institute of Standards and Technology (NIST) – U.S. Department of Commerce.
• Industry reports predict a much wider (though less precise) gap globally. The 2017 ISC2 Global Information Security Workforce Study predicts a global 1.8M shortfall by 2022.

It is all-but-certain that demand for security professionals will continue to outstrip supply for the foreseeable future, and organizations should expect vacancy rates and turnover to rise.  As the gap widens over the next few years, every organization should expect the remaining resource pool to include more applicants with less experience, fewer skills, or both.

In such a future, organizations will require differentiating (stand-out) recruiting and retention incentives in order to achieve better than average results.  But even that likely won’t be enough; as aggressive recruiting more becomes common, it will become the new normal.

With the above trends in mind, additional resources should not be the long-term solution to any future security challenge.  No critical process should depend on resources that are growing harder to come by.  Resiliency plans should accommodate higher levels of both vacancy and turnover, lower staffing levels, and (at least occasionally) incomplete organizational models.  Succession planning is a must for continuity of critical positions, not just leaders.

3 strategic response considerations

In a single word: adapt.

1. Plan for a future state of limited resources

The future staffing model will almost certainly embrace a diversity of skill sets, from the traditionally senior to those with less experience, and those with little or none. Given this, organizations should expect to invest more in training and work to create a culture of retention.

Apart from the direct effect on turnover, retention measures can be an attractive aspect of a recruiting strategy and shouldn’t be reserved for when a key resource gives notice.  Creating a retention culture starts with getting to know your employees and understanding their ambitions.  Make certain each employee has a development plan and a career path.  Promote aggressively from within (as a matter of policy) and foster a sense of appreciation by celebrating the milestones you wish to reinforce (e.g., promotions, taking on new responsibilities, education, and certifications).

Planning for limited resources also means remaining vigilant against any waste of time or effort.  Crystal clear prioritization should be every security organization’s watchwords going forward and, in future, tough choices may very well be required.  Consider the organization’s tasks with care: dedicate resources to truly critical work, defer the less important, and abandon the unimportant as an unaffordable luxury. At the same time, embrace time-saving measures and efficiencies wherever possible, particularly automation.

2. Develop skills to support automation

In addition to the human resource shortage, the security function will also need to contend with the explosion of data and the growing complexity of the environments they protect. To meet these challenges, the future state may require an even greater dependence on technology.  Organizations should look beyond traditional risk management skills and recruit, retain, or develop skills sets against their future needs, including data science, network design, and programming — skills that will enable and support greater automation.

In the near-term any repetitive work should be considered as a good candidate for automation.  In the longer term, think towards a future where tasks are automated for no other reason than they can be.

3. Plan to partner

Organizations need to be honest and critical of their own capabilities — both about what they can do and what they can’t. Clear prioritization will help (to a point) but it can only go so far in compensating for real deficits.  Organizations should plan to partner with external organizations that are in a position to help.

Opportunities are many and this is an area where initiative and creativity could be rewarded.  Local universities, professional organizations, and information sharing groups are all legitimate avenues of exploration.  Even competitors are fair game in times of crises provided competition is not compromised (in areas like incident response, for example).

Organizations may choose to outsource certain tasks, relying on managed security service providers or other third parties.  That means excelling at managing third parties and planning for uneven results from those partners during the initial adoption phase.

3 tactical response considerations

1. Get closer to the applicant pool and get there earlier

Human resources departments should be targeting universities with information assurance (security), data science, computer science or STEM programs, etc. If they aren’t, reach out to the universities yourself and volunteer your services.  This, too, is an area where creativity and imagination can pay dividends.  Some courses host occasional guest speakers, particularly subject matter experts in the workplace.  Some professors pride themselves on steering their best and brightest towards post-graduation employment.  Career centers are always looking for intern opportunities for their students.  Could you use a little help in the summer months?  Do whatever it takes to get a first look at the next cohort of graduates, cultivate their interest, and sign up those you’re interested in before they ever hit the job market.

Much the same can be said of professional organizations.  Information security has several, and some of your staff are likely already members.  Encourage activity in the local chapters and make a point of hosting chapter meetings.  If you can, host meetings given over to outreach, training, or guest speakers (meetings with a special draw or high attendance).

2. Address training aggressively.

Focus training efforts on skills, domain expertise, and institutional knowledge — employees need a combination of all three to be successful.

Skills.  Train for both the skills your organization needs now (e.g., risk management, engineering, operations, communications, infrastructure, and software security) and those it will need in a resource constrained future (e.g., data science, analytics, network design, and coding).

Domain expertise.  Certification encourages a broad study of information security and provides its own form of validation.  Point your newest hires towards professional certification early and encourage those with the requisite years of experience to sit the exam.  Set aside time for tutorials and sponsor formal study groups; make support for certification part of your organization’s DNA.  Consider subsidizing professional certification financially to the degree your means allow.

Institutional knowledge.  Create a ‘fact book’ for your organization, similar to this one: https://www.cia.gov/library/publications/the-world-factbook/.  Breadth and scope are very much up to the organization’s individual needs, but at a minimum it should include an up-to-date list of every application supported by security and IT and every third party with whom confidential data is shared.  Once created, assign ownership to the appropriate resource (threat intelligence or incident response), but the entire team should share responsibility for maintaining the content, new hires (who will gain the most from the exercise) particularly so.

Explore cross-training within security and avoid potential single points of failure, particularly with important skills or mission-critical responsibilities.  If you can arrange to cross train with other external groups, start with those that represent a source of potential recruits: IT, risk, project management, and audit, etc.

3. Do more with less-skilled staff

The security team of the future is likely to be a little younger, a little newer to the field, and a little less experienced. As professionals and managers, our challenge will be finding ways to make that work.

Conventional thinking, in some organizations, is that junior resources execute a process, mid-level resources analyze, while senior resources are given over to engineering, design and architecture.  We can no longer afford to waste even entry-level resources in this way. 

In the future, those processes undertaken by junior staff should probably be candidates for automation and a new approach for preparing entry-level and junior staff for senior roles will be needed.  Consider embedding junior resources with the analysts, designers, engineers and architects immediately.  Self-organizing and cross-functional teams are used to great effect in software development, and security can leverage an approach where junior members contribute side-by-side with, and guided by, more senior team members.

Leadership needed

Make no mistake, adapting to security’s future means more than just working smarter, it requires real change.  Leadership will be required more than ever — to provide vision, set goals, and foster a sense of purpose.  Preparing your staff for the future means more than developing their skills, it also means developing their leadership.

Comb your staff for anyone that shows even a spark of initiative, mentoring, or inspiring others.  If you have the flexibility and the organizational support, consider guiding promising prospects to management, communication, and leadership development programs earlier.  Take full advantage of whatever internal development resources your organization offers.

If you are the CISO, don’t be tempted to carry the burden alone.  Delegate more to your managers and start training those future CISOs.  If you’re a manager, start identifying the next generation of managers.  If you have ambitions of leadership or greater responsibility, speak up!