The Growing Security Skills Shortage

Jonathan Penn

We are regularly hearing from our security clients about their difficulties finding people with the right skills – or when they do finally find them, these people are too costly to employ because their skills are in such demand.

Indeed, the “unavailability of people with the right skills” was cited as a top challenge for security groups in both our enterprise and SMB surveys.

In comparing need for talent across 25 different IT roles, Forrester analysts came to the conclusion that information security experts are among the hottest roles in IT, sharing the top spot with information/data architects.

The skills shortage is likely to get worse before it gets better. We’re unlikely to see a significant spike in security experts’ salaries to attract those we need to hire: large changes in compensation for senior security personnel would run against the current of economic belt-tightening. Another typical approach to offsetting the shortage would be to train up: foster the career development and advancement of existing security personnel on our payroll. However, with all the outsourcing that is going on – and which will increasingly occur – there is a shrinking pool from which to find people with “the right stuff” worth championing their advancement.

We could look outside of security to others in IT, or even to co-workers in other departments or business groups. But given how poor a job IT Security does of marketing its value proposition, I don’t hold much hope for attracting non-security people.

What do you think? Are we about to hit a very big wall when it comes to skills and staffing? Are you presently feeling the pain of a skills shortage? Do you see such a shortage looming? What measures are you taking to acquire and nurture talent? Which ones are successful and why?

I welcome your thoughts on the topic.


re: The Growing Security Skills Shortage

In my opinion, there are 2 factors that are contributing to the shortage of security personnel. One is the fact that when most companies are looking for security professionals, they normally are looking for people who have the skillset to immediately jump right in. This in turn drives up the cost. Companies should invest more heavley in their own employees. I myself would love to be more involved in the Information Secuirty field. However, my employer would rather pay a price premium for an already established security personnel then to train their own employees.Since I already am in IT with some security background, in my mind, it would make sense to groom someone like me. Obviously the other reason would be cost. As posted, experienced security professionals are commanding large salaries.

re: The Growing Security Skills Shortage

To your point...I agree there is a looming problem finding individuals who are not only well qualified but who have the requisite experience coupled with common sence and business acumen to meet the complex technical and organizational challenges that a Security Director, or CISO or CSO will face. To address these shortfalls in skills and abilities the DOD and the NSA actually started a program that has now expanded to Universities across the U.S.There are 70 plus Universities that have Information Security Centers of Excellence that are providing quality graduate and under-graduate programs in the field of information security. A list of these Universities can be found on the Department of Homeland Security and the National Security Agency's websites.As a former University Department Chair and Professor of Information Security at the National Defense University which is a Center of Excellence, I can attest to the quality of the curriculum and the quality of the students who are attending these programs.It seems to me that organizations who are looking for top talent in the information security career field should talk to these Centers of Excellence and find out more about the programs and the graduates.

re: The Growing Security Skills Shortage

Both great comments. To the first one, I would think organizations would get smarter about "training up". With more people like Edgar, who are eager in moving into the IT Security domain, and with a growing realization that IT Sec groups are short staffed, this would help us avoid a crisis.The comment about higher-ed InfoSec programs is a great one. Among the presenters at Forrester's Security Forum last year were Dr. Avi Rubin, Director of Johns Hopkins' Information Security Institute, and Dr. Eugene Spafford, Director of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue. These and others programs are great places to find talented, experienced security staff. And as we struggle with this issue, we should perhaps look buy from vendors who donate products to such (preferably local) institutions. That way, students can learn on the latest hardware and software, and we can hire fresh graduates who’ll arrive on day one with relevant experience.

re: The Growing Security Skills Shortage

We live and engage in business in a highly connected and insecure global digital village today. At the foundation of our strength lie our business and defense institutions, and at their foundation lie IT infrastructures.Information security is thus undoubtedly a matter of paramount defenses today, and it must be a cardinal business priority. The entrustment of this great responsibility in trustworthy and capable hands goes hand in glove with an escalated priority.Amongst a multitude of other measures, as it pertains to this topic, as a nation, we should seriously consider the establishment of an Information Security Defense institution chartered with promoting and facilitating the need for and the availability of capable security expertise, so our organizations can be adequately protected at all times.I commend Forrester for shedding light on this vital matter.Best wishes,Sanjay TandonChief Executive OfficerParamount Defenses Inc.

re: The Growing Security Skills Shortage

A shortage of security skills? Not buying it. This is a bigger myth than the software engineer shortage. When supply is short, salaries go up. That has not happened, even before the 'belt tightening'. Where are all these unfilled jobs? I don't see them on Monster, Dice, Career Builder etc. I've seen a couple of jobs posted recently asking for ~ 10 years experience and offering less than 65k.I know several people with 2 to 5 yrs experience in security who were laid off from 2 different companies and aren't exactly finding themselves in high demand.The only people I can see talking about a shortage are those who make a buck of education.