The poor scalability of cybersecurity consulting services is exacerbating the challenges of meeting surging demand, forcing security service providers to build creative recruitment strategies and look overseas to meet demand, according to the head of one fast-growing security consultancy.Speaking with CSO Australia just weeks after he joined pen-testing and auditing firm Securus Global, CEO Chris Williams said the company \u2013 which hopes to hire 10 new security specialists over the next 12 months \u2013 has recently recruited experts from as far afield as Brazil, London, and Portugal.\u201cIt is that hard\u201d to find suitably skilled professionals, he said. \u201cIn Australia, there's only a very small group of good security analysts and hackers. So you either start playing the chess game and moving everybody around [between companies], or you go elsewhere. I went globally, looking for the best I could find.\u201dThe issue has produced common problems across the entire security industry, where consultancies are fighting for skilled professionals in a small pool and the labour-intensive nature of the job has made it difficult to scale up organisational capabilities.\u201cThe biggest problem is our ability to provide the capability to service that demand,\u201d Williams said. \u201cLike any professional services business, security is not really scalable: there are no multipliers, and one person per day gives one FTE value to the customer. So it's a challenge for us to find ways to keep up with it.\u201dRecent research into the cybersecurity skills pipeline hasn't offered much relief.In the Frost Sullivan-backed ISC2 Global Information Security Workforce Study, released earlier this year, 62 percent of respondents said their organisations had too few information security professionals \u2013 up notably from the 56 percent flagging a shortfall a year earlier.Frost Sullian extrapolated the ISC2 figures to forecast a global shortfall of 1.5m information-security workers, with just 195,000 new infosec professionals hired globally this year.\u201cA security-conscious end-user community would seem to be an essential line of defense,\u201d the report notes, \u201cbut the survey respondents are showing less confidence in the effectiveness of end-user security training and education.\u201dThis lack of confidence segues into the broader issues limiting security skills availability: \u201cIn the final assessment, the strategies of investing in security technologies, personnel, and outsourcing will be insufficient to materially reduce the workforce shortage,\u201d the Frost Sullivan analysis warned.\u201cAn expansion of security awareness and accountability throughout the organization is required. Casual attempts at security awareness and education only go so far. A more impactful approach is to embed real security accountability into other departments, in particular IT; and for the IT and security departments to function more collaboratively.\u201dAs a consulting organisation, facilitating this embedding is high on the list of priorities \u2013 as is getting the staff to make it possible.Williams has been looking internally and thinking laterally in considering possible solutions, with one option revolving around the development of new, more-scalable services \u2013 staff security-awareness training is one option \u2013 that can be delivered to corporate customers with an online component.This service, like another mooted Web-discovery tool and others in the works, would expand the Securus range of services and generate new revenue streams that can be invested into staff recruitment and training.\u201cIf we can use that cashflow to start a bit of a graduate program internally, this will help us,\u201d Williams said. \u201cIt would help break that cycle that graduates are in, and it means they wouldn't get thrown to the wolves from day 1; it would give us a place to get them up to speed without throwing them out on customer sites.\u201dIn the longer term, expanding away from the one-on-one consulting engagement would not only bolster the company's capabilities but would \u201ctake a bit of the pressure off that demand for individual face-to-face engagements,\u201d Williams said. \u201cWe're looking for all sorts of services that will differentiate us and add value. We'll never lose the consulting part, but that's not to say there aren't other services that we can deliver using different models. We've positioned ourselves to streamline the business and get it ready for that next growth phase.\u201dWant to know more? Why not become a CSO member and subscribe to CSO's mailing list.Get newsletters, updates, events and more right here.