How to Deal With the Security Skills Shortage
It would seem that 2014 is shaping as a big year in cybersecurity.
Hot on the heels of the Thanksgiving weekend cyber attack at Target and FBI warnings of more breaches to come, the White House has now asked for the tech community's help in fighting malicious hackers.
If it isn't already, this is the year security becomes an absolutely essential part of your company.
One problem: There aren't a whole lot of people qualified to work in security jobs.
Last year, a survey showed that more than half (56 percent) of security professionals and business execs said there wasn't enough talent to handle their companies' security needs. And 52 percent said this shortage "contributed to the incidence of breaches in their organizations."
Evan Gordon places recruits security professionals for tech companies as regional director with IT staffing company Workbridge Associates. He says the demand for security professionals is through the roof. But he estimates that the unemployment rate for qualified security professionals is close to--ahem--0 percent (and that might not be hyperbole). Meanwhile the number of jobs in the field is expected to grow by 37 percent between 2012 and 2022.
Gordon fielded questions from Inc. about how companies can cope with the shortage as they look to grow their own security ranks.
So, just how big of a problem are we talking here?
The demand for information security people that are qualified far surpasses the supply. (Part of that is) due to increased need for these people--due to breaches and greater awareness, companies thinking five security people was enough and now they're looking for 10 or 15.
The other thing is that a lot of people during the recession weren't focusing very much on looking for entry-level security jobs and were going to school for more general IT or a different type of degree altogether.
Now when companies are looking for junior level security person, their pool of candidates is lower than it might have been a few years ago. It's something that's hot now that maybe wasn't in the forefront of everybody's minds five or six years ago, and because of that, not as many people went into it as a potential career.
We hosted a security meetup in the middle of December and there were several IT professionals--chief security officers and senior guys--and they all said their biggest issue was the lack of candidates, the lack of talent, and evey single one of them had at least one to three open jobs they couldn't fill.
Supply and demand is pretty simple to understand. So how on earth does this shortage get dealt with in the short term? How will companies find people?
The biggest thing people need to do, and they're starting to do, is realize they may not find exactly what they want. They may need to settle on bringing on somebody who's more junior who they can mold, teach, and mentor, and grow into those jobs.
Or they might need to take other individuals within their organizations who have interest in security and train them and cross-train them to get them up to speed. Companies might need to try and backfill some of those skillsets.
You can't make people appear out of nowhere, so companies are realizing that it makes sense to hire somebody a year or two out of school with a good (IT) foundation, and send them to classes and teach them. That's just what they have to do.
As to the young talent that is out there, which sorts of programs are they coming out of? Which schools?
There are a lot of schools now offering more specific information security degrees. Drexel's is apparently really good. But even if people don't have a degree with that, are they getting an internship in security?
If people are working in other areas of IT, they can talk to the security people and pick things up, get mentored, learn some things on the job that aren't in their job description, but that go a long way. I think that's more common for more junior IT employees (who choose to focus on security), is they soak in knowledge.
Even if you are hiring on potential and coaching up, the simple economics of this issue pretty well demand that these junior and entry-level security jobs are going to require a fairly hefty salary, right?
The unemployment rate for information security people is close to 0 percent, especially for people who are working with new technology, who have the degrees and certifications. Companies need to give them a reason to (take the) job. That could be the sorts of threats they're dealing with and whether the candidate finds it interesting. It could be working from home. It could be high salary or stock options.
That's pretty much true of technology across the board. But in security, I've never seen anybody take lateral salaries or some kind of paycut. Everything's been some sort of a bump-up to even get them interested.
Companies are investing in security. If places like Target can be hacked into, and they have humongous security operations and teams, then (small and mid-sized businesses) can also.
It's like insurance. Hopefully you don't have to use it, but...
Actually, companies deal with these breaches every single day. Consumers don't hear about them often. We hear about huge incidinces that effect us. But security professionals are reacting to and preventing things all the time, day in day out.
Will the drought end?
More people are coming right out of school interested in security. There does seem to be more of a genuine interest. People are seeing there's more of a demand, so they're seeing it as a good career opportunity.
It's about supply and demand, and it's about awareness. The demand for security people has been high for a while, the supply has been short for a while. Now it's more heightened to the public. People are more aware of what's going on.
You look at a company like Target. No matter how big you are, you can never be 100 percent protected. That's creating a buzz around this market.