Why are security specialists the unicorns of tech recruitment?
There is a need for more and more cyber security specialists, but supply of skilled professionals is well behind demand. How can we close the recruitment gap?
Well, this is alarming: there is a terrible shortage of skilled security professionals. Financial Times tells us that the global demand for cyber security experts will outstrip supply by a third before the end of the decade. FrostSullivan’s Global Information Security Workforce Study warns that there will be a shortage of 1.5 million security workers within five years.
Universities have started programs that teach security to eager students, but it doesn’t help in the short term. Security firm McAfee reported already ten years ago that the lack of good security labor puts businesses at risk. Then why are we still in this situation?
I see three main reasons for the recruitment gap:
- We don’t know what to teach. While education is always beneficial, we might be teaching the wrong skills. The security field evolves rapidly, and a specific technology that is taught today may be obsolete tomorrow. It is important to understand and know security technologies, but eagerness to learn new things is more important. Security is a mindset, not a technology.
As security pro Nick Selby says: "To be good at infosec, one must be smart, detail-oriented, imaginative, and audacious.” Couldn’t have put it better myself!
- Companies don’t know what they want. It’s a running joke that companies want to hire recent graduates with 15 years of experience. This actually might just be true in security.
Because many organisations aren’t aware what kind of skills they really need, they end up listing just about every requirement they can come up with in their job ads. This may intimidate potential recruits and prevent them from sending in their resume.
There are 103 000 people with a CISSP certification in the whole world, and 50 000 job openings with this requirement in the US alone. Maybe results would be better with slightly less restrictive requirements and letting promising candidates learn by doing?
- You need more than just security skills to be successful. It is not enough to be an expert in a narrow technological subject. The security pros must also now their industries inside out. It is increasingly more important for the IT staff to be able to speak the same language with the C-suite.
And another reason why it is important to be able to explain the importance of cyber security to business leaders: In a recent study, only 25% of executives and board members think that recruiting skilled security professionals is top priority. There’s still a lot of work to be done in convincing the business leaders why they should care about security.
While we have to try to cope with the shortage of security experts for some time, you can still do a lot to make your organisation safer and more resilient to attacks. If it turns out difficult to get the skills in-house, outsourcing might make a lot of sense.
As I’ve written earlier, security is not just a supporting function but an integral part of all business activities and everyone’s responsibility. If you can get your company culture embrace security, your security experts (when you find them) can concentrate on bringing added value to your business.
Download Tieto Security Services whitepaper here.