Talk to Our Experts  

Information Risk Management Blog

10 Ways CIOs & CISOs Can Beat Talent Crunch in Information Security

[fa icon="calendar"] Jun 15, 2016 2:18:12 AM / by Anupam Bonanthaya

Anupam Bonanthaya


Information Security has jumped 33% to become Top-3 Priority for IT Executives in 2016. Now with the increasing importance of information security to organizations, the biggest hurdle is no longer buy-in from the board or even the budget $ - It is the "availability of talent" !

Information Security professionals are on the top when it comes to talent crunch. In this article I will cover 10 ways to deal with the talent shortage you are facing today. 

 

1. Accept the problem

It is a fact that there is a severe shortage of talent in the industry. The sooner you accept the problem, the quicker you can start thinking about solutions. 

So how big is this problem really ? 

We hear it from almost every customer we talk to.  I am sure you see it around you all the time, But let's look at some research ...

 

 A survey conducted back in 2015 by ISACA (with its 3400 members globally) said that 86% are facing a skills shortage in Cybersecurity.  

As per Symantec's CEO Michael Brown - The demand for Cybersecurity workforce globally is expected to rise to 6 million by 2019, with a projected shortfall of 25% i.e. 1.5 million! 

 

Obviously, one of the main reasons for the shortage is the increased demand for talent due to the increased importance of security to organizations.

You can see below that this year security has jumped to Top-3 as a focus area for IT Executives. With  46% of them saying  it is their priority, up 33% from last year's 31%

 

Security_in_Top3_Priorities_for_CIOs_2016.jpg

(Source: 15th Annual State of CIO survey 2016 by CIO.com)

 

In plain simple terms - Security is getting increasingly important, and getting the right talent is getting increasingly tough.  

 

Below are a few options ...

 

2. Retain talent proactively

Trying to retain your existing talent should be your #1 priority.

Again, Let's try to understand the reasons for people quitting their jobs by looking at some research.

 

As per the 2016 annual salary survey conducted by ComputerWorld - These are the top reasons why IT professionals (includes security professionals) look for a new job ...

 

reasons_for_job_change_in_security_2016.jpg

(Source: ComputerWorld IT Salary Survey 2016)

 

No surprises here - Salary, career, challenging work, personal fulfillment, more benefits, etc.

But this can definitely help  in coming up with ideas on how to address attrition proactively ?

 

3. Make adjustments to salary

More money is always good and might sound like a cliche or a  silver bullet solution for employee retention.

But in the case of security talent,  a direct outcome of shortage in talent, and increase in the number of things to be done to keep Cybercrime in check is an increase in workload for existing people as seen in the table below.

 

salary_vs_workload_IT_security_2016-1.jpg

(Source: IT Security pros by Steve Traynor/CSO.com)

 

In addition, the market salaries for new hires would be much higher.

Therefore, correcting salaries for underpaid employees might be a fair option in order to retain those star performers. 

 

4. Promote internally

In this market it is even tougher to find senior experienced people. 

According to a survey conducted by IDC, of senior information security executives in July 2015, positions for experienced talent take much much more time to fill.

IDC found from the survey that - If jobs that need 5 years of experience fill within 3 months,  a good number (21%) of jobs that need 10+ years take a year or more to fill, and the majority (>50%) of jobs requiring 20+ years take more than a year to fill. 

It means there are fewer number of CISOs and senior leadership available in the market than the need. Therefore promoting deserving internal employees to take on bigger roles within your security organization is a smart strategy. Your  senior leadership team and even your CISO can be born within your organization !

 

 

5. More interesting (challenging) work

Adopt newer technologies. People always like to work on new things.

As per the survey done by SANS, the following are the technologies where organizations are spending money.  

IT_Security_technology_spend_2016.jpg

(Source: IT Security Spending Trends by SANS, Feb 2016)

 

Something to ponder - Are these the areas where your people will be "excited" to work ?

  

Laborious  manual tasks and repetitive work is very boring. Try automating them where possible. So that you can re-purpose smart people to do smart things. 

 

6. Do more than certificates

It is no surprise that the majority of IT Security professionals feel certifications are valuable.

 

value_of_certifications_in_IT_security_2016.jpg

(Source: IT Security pros by Steve Traynor/CSO.com)

 

Therefore helping your team acquire certifications in security is definitely a must-do. 

 

In addition, you can also look for other training that can help them.

The table below gives some ideas.

 

Preferred_trainings_by_IT_pros_2016.jpg

(Source: ComputerWorld IT Salary Survey 2016)

 

As you can see there are many other training that IT professionals in general  (including security professionals) find valuable for their career - advanced technology skills, leadership skills, project management skills,  communication skills, analytics skills, under-grad/graduation degrees in both technology and business, etc.

 

 

7. Cross train other IT

There is a popular saying that in security you need "people who are experts in the technologies that they would be securing".

Therefore it makes sense to take the best people from IT and train them in security. 

There is another reason for it - Security is a better career for them.

See table below how security pros are significantly more satisfied and motivated with their careers than the average IT professional. 

 Security_pros_more_satisfied_than_Other_IT_pros.jpg

(Source: IT Security pros by Steve Traynor/CSO.com )

 

Therefore a career in security would be desirable next step in the career progression of many IT professionals. 

 

 

8. Outsource skills

Outsourcing skills in the form of consultants or managed services is a very common practice. In fact, it is growing aggressively. 

As per Gartner - In 2015, the IT Security Outsourcing segment grew the fastest at 25%. Almost double of the growth in the  overall worldwide IT security spending of $75.4 billion which also grew by a high 13.9%. 

The below table from a survey conducted by SANS shows the various skills being sought by organizations in 2016.

 

 security_skills_being_sought_SANS_2016.jpg

(Source: IT Security Spending Trends by SANS, Feb 2016)

It is interesting to see the willingness and interest for outsourcing even in areas like security analytics. 

 

 

9. Hire new blood

Hiring new blood is always good in many ways.

And If you are trying to hire people from other companies, this table can provide insight when someone is thinking about switching their job .

 

how_to-poach_IT_pros_2016.jpg

(Source: ComputerWorld IT Salary Survey 2016)

 

Again, salary increase is an obvious one. But you can also see how people put a lot of value on  other things like - better work/life balance, more vacation time, etc. 

You can also see some common items like newer technologies, bigger responsibilities/new title, and training repeat here from the earlier employee retention list.

At a macro level - you have organization stability and job security that might work in your favor, hence can be stressed upon when making the pitch.

 

 

10. Have more fun

Stress is very common among IT professionals in general (includes security professionals).

As per the below chart, 45% of the people are stressed (stressful and very stressful), and another 40% are somewhat stressed. 

85 is a large percentage!!

 

 

Stress_amongst_IT_pros_2016.jpg

 (Source: ComputerWorld IT Salary Survey 2016)

 

I am sure stress is even more among security professionals, would not be surprised if it is 100%!

Security is a serious topic. Unfortunately, missed deadlines and failed projects might lead to a bigger/ more serious impact in security. 

One way of managing stress would be to make the work environment more fun.   



Summary:

It is a fact that security is high priority for executives this year. It is also a fact that there is a talent crunch in the industry. But it is also a fact that this is not the end of the road and there are many ways you can work-around the problem.

I have talked about a few, but I am sure there are many more.

Looking forward to hear from you on your experiences with talent crunch in the industry, and what works/does not work from your experience. 

If you like this article, please share it.



At Aujas, We can help you in 3 ways as follows:

 

1. Our Security Analytics & Visualization Platform (SAVP) and Platform as a Service (PAAS) Offerings can help automate many manual tasks, in addition to helping focus your attention and resources on the "right" risks, thus drastically reducing your workload, yet becoming more effective in mitigating  Cyberthreats.

2. Our Managed/Co-managed Offerings can help outsource your security programs by retaining your existing tools and investments, but filling the missing gaps with our platform/services, and do it with an overall cost savings to you.  

3. Our Expert Practice Service Offerings across Risk Advisory, Identity/Access Management, Threat/Vulnerability Management, Security Intelligence & Operations, and Digital Business Security can help plan, implement and maintain your security programs with our best-of-breed consultants across the globe.

To know more, talk to our security experts by clicking here

 Talk to Our Security Experts

 

Topics: Cybersecurity, Information security, Security, talent, SOC, security analytics, security services, hiring, infosec, managed security

Anupam Bonanthaya

Written by Anupam Bonanthaya

Chief Marketing Officer @Aujas, Passionate about Information Risk & Security. Working with customers globally to help them secure their Most Valuable Asset - Information Assets.

     

Other Popular Posts

Subscribe

Case Studies