ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Are We Asking the Right Questions When It Comes to the InfoSec Skills Shortage?

Are We Asking the Right Questions When It Comes to the InfoSec Skills Shortage?

Omo Osagiede, CISSP/ISSMP, CISA, CIPP
| Posted at 10:00 AM by ISACA News | Category: Security | Permalink | Email this Post | Comments (3)

Omo OsagiedeChatting with a colleague recently about local economic issues, she made a remark which I found profoundly interesting at the time.

She said that the reason why economic policies are sometimes ineffective is because policymakers are failing to identify their root causes. “We cannot get the right answers if we are not asking the right questions,” she summarized.

I recalled that remark as I reflected on the widely reported shortage across multiple industries of people with the needed information security skills, a recurring challenge showing no signs of abating.

The Scale of the Problem
Security risks continue to gain board-level attention in many industries. After all, high-profile and publicly acknowledged breaches have a strange way of focusing the minds of senior executives on addressing security gaps.

However, the perennial skills shortage of technically proficient professionals means that organizations are finding it difficult to address security threats to their organizations at the same pace at which they occur.

A recent EY survey predicts a global shortfall of about 1.8 million security professionals within five years. That same study notes that 56 percent of respondents acknowledge currently having skills shortages. A separate study suggests that on average, it is taking enterprises longer to find and hire qualified professionals – sometimes taking up to six months before open cybersecurity positions are filled.

With digital transformation firmly on the agenda for many organizations and cyber-attacks on the rise, business leaders appear set to continue to struggle to resource strategic business initiatives with the appropriate security skills.

Asking the Right Questions
With reports that the global skills shortage appears to be getting worse, existing approaches to finding and hiring are worth challenging. Below, I list five questions that attempt to look at this problem from different perspectives.

#1: Are Hiring Managers Getting the Right Support?
I recall being presented with many dysfunctional job descriptions over the years when I have been a candidate for various positions. I have, for example, seen security analyst roles being erroneously presented as governance and compliance roles and SOC job descriptions requesting qualifications that appear unrealistic for the level of experience demanded. While it is true that every organization has different requirements, I can’t help but think that hiring managers are being let down by their recruitment service providers.

Job analysis – reviewing the qualifications and requirements of a particular position – prior to engaging in recruitment and selection is such an important first step for tackling false assumptions about a role.

The more accurate the job description, the more effective the interview questions and screening tools could be. The job analysis should cover everything from technical to soft skills and other details such as work location, remuneration and key performance indicators.

By challenging the way they develop job requirements, organizations could increase their chances of attracting and retaining the right talent.

#2: Are Security Roles Attractive to More Women?
The tech workforce gender disparity and discrimination against minorities in the industry remain hot topics of discussion at many industry conferences. Specifically, women remain globally underrepresented in the security industry.

It would be premature for an organization to conclude that merely having a diversity program is sufficient for addressing gender imbalance and the marginalization of minorities in the workplace.

Rather than using them merely to satisfy corporate KPIs, organizations need to challenge their goals and objectives for such programs in the first place. Are existing initiatives designed to create a more inclusive workplace, provide mentorship opportunities and address inequalities in pay and career progression for women? Problem areas such as hiring to fill technology and information security roles deserve special attention.

#3: Are Recruiters Trying Non-Traditional Approaches?
Specialist information security degrees and partnerships between higher education institutions and professional certification organizations such as ISACA and (ISC)2 have offered paths into the industry for individuals coming from academia. However, those individuals typically come from science, technology, engineering and math (STEM) backgrounds, where the body of knowledge tends to align closely with the capabilities required to operate in technical security roles.

Challenging the way recruiters traditionally search for security talent could open up vacant roles to a wider pool of candidates. Mentoring, capture-the-flag competitions, hackathons, and bug bounty programs are some examples of alternative ways to find security talent.

These non-traditional methods could improve the way hiring organizations spot traits such as natural curiosity, risk aptitude, analytical thinking and detailed reporting, all of which are foundational attributes required to operate in many domains within information security.

#4: Are Organizations Sufficiently Incentivizing Existing Talent?
With some exceptions, most professionals are already thinking about their next career move. Finding security talent is one thing. Retaining existing talent is quite another.

Why do good people leave? Career stagnation is often cited by security professionals as one reason for changing jobs. Therefore, it is worth paying attention to the root causes of staff attrition.

Prioritizing funding for security program areas is a constant challenge for many CISOs. This unfortunately often results in security education, training and personal development falling lower in the pecking order when faced with competing priorities. Ring-fencing budget allocation for research, training and development demonstrates leadership’s commitment to attracting and retaining the best talent.

Additionally, infosec leaders and human resources could come up with innovative ways to identify existing talent within their organizations that might sit outside the core security function.

Existing employees who demonstrate sufficient interest and technical ability could become internal hires, saving the business time and money spent on external recruitment while preserving much-needed institutional knowledge.

#5: Could Increased Automation Help?
Perhaps the answer to offsetting skills shortages is to reduce the dependency on humans altogether.

Indeed, many organizations already are exploring robotic process automation to streamline and standardize repetitive processes. This trend is set to continue, especially in the area of DevSecOps.

The desired state for many CISOs would be to free up skilled professionals to be more creative and innovative, and to focus on the optimization of the security function.

Getting the Right Answers
In May 2019, the UK government put out a call for views on a National Cyber Security Strategy.

The call for views recognized that “cybersecurity is central not only to our national security but also fundamental to becoming the world’s best digital economy.” Consultations are ongoing and a final strategy document is expected to be published by the end of 2019.

Some of the questions I put forward in this article have been included in an Initial National Cyber Security Skills Strategy. Asking the right questions should hopefully lead to getting the right answers for remediating the infosec skills gap problem.

Addressing this skills shortage requires fresh thinking and stronger collaboration between government, industry and public/private partnerships.

Editor’s note: For more ISACA insights during Cybersecurity Awareness Month in October, visit ISACA's Cybersecurity Resource Center.

Comments

I think a lot of the "skills shortage" is self-inflicted

As an infosec profession who has been looking for a new position, I don't quite accept that we have a massive 'skills gap' and shortage of people.  When I speak with others who are also looking and can't find work, I have a hard time accepting it.

I think a big cause of this is that those looking at the issue are only looking at the surface and not digging in deeper.  This article takes a look at some of the items causing the problem.

#1: Are Hiring Managers Getting the Right Support? is a big part of this and goes beyond just hiring managers, but also recruiters (both internal and external).

We see too many bad job descriptions, as you note.  Looking for junior level positions with senior level experience (the typical "2 years experience and a CISSP" nonsense, which I've seen.  Or expected a security admin to have a CISM.  Also seen).  Job descriptions demanding 10 'must have skills' that you probably aren't going to find with someone, when you should limit must haves to about 3.  Not understanding the difference between an analyst, engineer, architect, manager roles.  Or wanting a team lead, but calling it a manager.

And its not helped by having hiring managers who DON'T understand infosec interviewing candidates.  I did an interview for an infosec manager with the company's CTO, who had a problem that I wasn't a pentester.  Being a pentester should NOT be a requirement for an infosec manager.

Recruiters that don't understand infosec aren't much help for hiring managers, because they can't help them better craft job descriptions.  I had one who didn't understand the different between an information security manager and an information security project manager.

If companies have bad job descriptions, how many good candidates are they turning away for the wrong reasons?

And when there are resources out there from SANS and NIST, there is little excuse for this.

#3: Are Recruiters Trying Non-Traditional Approaches? Most aren't.  Most aren't even doing the basic approach of attending infosec organizations and conferences.  How many attend meetings of ISSA, ISACA, ISC2 chapters, attend BSides Conferences and other events to look for talent.  Not just the esoteric events like a capture the flag event.  We had one of the largest such events in my local area and we had ZERO recruiters there.

#4: Are Organizations Sufficiently Incentivizing Existing Talent?  Nope.  Or many aren't.  How many have a training budget?  Or allow or even encourage their people to attend meetings and events to get knowledge and experience?  Its very few.

Before we can claim there really is a skills gap or shortage, let's look deeper into the issue and fix some of these issues.
Michael137 at 10/1/2019 10:57 AM

RE: I think a lot of the "skills shortage" is self-inflicted

Hi Michael137 - thank you for reading and for sharing your experience. I hear your comments about misaligned job descriptions echoed among many IS professionals. Hiring managers and recruiters need to get better at defining their job requirements. There's a higher chance of finding the right candidate if the match is made easier.
Omoruyi at 10/1/2019 5:39 PM

Re: Are We Asking the Right Questions When It Comes to the InfoSec Skills Shortage?

Good article, and good comment!
John9620 at 10/2/2019 9:16 AM
You must be logged in and a member to post a comment to this blog.
Email