The ongoing cybersecurity skills shortage is forcing many companies to find creative ways of keeping their IT infrastructure secure.
As author and Prelude Institute Chief Content Officer Ed Moyle reminds us in the E-Commerce Times, effective corporate cybersecurity is about people, processes, and technology. “Each one is an important pillar in organizational performance,” he says. “An advantage in any one of these areas means an advantage relative to [one’s] peers overall.”
We’ve previously explored both the processes and the technologies companies should consider when crafting their cybersecurity strategies, but the “people” component is a little more complicated. That’s because, thanks to the ongoing cybersecurity skills shortage, many companies are having a hard time hiring the staff they need to protect their IT infrastructure.
Back in April, the Information Systems Audit and Control Association (ISACA) released its fourth annual State of Cybersecurity report. While 64% of the companies surveyed indicated that they have plans to increase their cybersecurity budget this year, this commitment has yet to translate to more robust cybersecurity staffing.
“Even though enterprises have more budget than ever to hire, the available workforce lacks the skills organizations critically need,” explains ISACA CEO Matt Loeb. “The persistent cybersecurity staffing problem is not a financial one.”
According to the report, over 70% of hiring managers say that “individual contributors with strong technical skills” are in high demand and short supply, so much so that it takes 54% of companies more than three months to hire for these kinds of positions.
Even when companies do make a hire, they tend to either settle for a less-than-ideal candidate or pay a substantial premium for top-notch talent. Roughly 30% of hiring managers admit that less than a quarter of applicants for cybersecurity positions are sufficiently qualified. What’s worse, a meager 12% of corporate cybersecurity professionals believe that any more than three quarters of the people currently working alongside them are properly qualified.
Compounding the problem is the high cost of filling security positions. As McAfee highlighted in its Hacking the Skills Shortage report, “The median cybersecurity salary…is at least 2.7 times the average wage, [and] cybersecurity jobs in the United States pay an average of $6,500 more than other IT professions, a 9% premium.”
This confluence of factors explains why nearly 60% of companies report at least one unfilled cybersecurity position, a status quo McAfee expects to remain unchanged through at least 2020. But, as Moyle suggests in an attempt to find a silver lining, “The [ISACA] report serves as a tool for security managers to benchmark their own staffing performance.”
“For example,” Moyle continues, “knowing that it might be challenging to staff up certain skills (e.g., technical skills) might cause you to invest in strategies to maintain talent you already have in order to minimize attrition.”
This might involve creating skill-specific internship/externship programs, incentivizing conference attendance, or any number of other creative approaches to developing existing in-house talent. Loeb agrees: “More of [companies’] dollars need to be invested in technical cybersecurity training, along with effective retention programs.”
In addition to developing their existing in-house talent, many companies have chosen to partner with a managed IT services provider like Turn-key Technologies (TTI) to mitigate the cybersecurity skills shortage. In fact, according to McAfee, over 60% of companies already outsource a wide variety of cybersecurity work, including risk assessment, network monitoring/access management, and compromised systems repair.
With managed IT services, companies don’t have to choose between high-quality cybersecurity and affordable cybersecurity. These services represent an excellent solution to a skills shortage whose end is still far beyond the horizon.