There is little argument among IT security practitioners and thought leaders that the shortage of qualified information security personnel places many organizations at greater risk of attack and exposure to other vulnerabilities that threaten the security of IT systems and data.
Information Security Media Group asked these veteran experts how the skills shortage affects IT security. We sought their views in conjunction with our latest analysis of U.S. IT security employment trends, which shows for the first time in two years unemployment among information security professionals [see 3% Unemployment Among Infosec Pros?]. But even with that sign of joblessness, a severe shortage of employable IT security experts exists.
"I've had one period of time where my program was severely impacted for close to a year due to the inability to find quality candidates to fill information security positions," says Marc Noble, vice chairman of the Cybersecurity Certification Collaborative and former chief information security officer at the Federal Communications Commission.
Top Executives Don't Get It
Although the IT security challenges caused by the skills shortage aren't new, they're being exacerbated by the growing threat landscape, meaning many organizations struggle with inadequate and sometimes unqualified staff - a fact that isn't always appreciated by those in the executive suite.
"The risks are greater from a lack of qualified experts, but we're still at a point where many organizations don't understand or prioritize the security risks they face," says Allan Friedman, research director of the Center for Technology Innovation at Brookings, a Washington think tank.
Among the respondents is David Shaw, chief information security officer at Purdue University, who expresses a frustration shared by many IT security professionals: "Those who are trying to penetrate our organizations don't face the same struggles in attracting talent. If you consider the statistics out of the Verizon Data Breach report [see Verizon: Hacktivists No. 1 Breach Threat], most of the compromised organizations fell victim to attacks that were not highly difficult. When a security organization has several positions open, management should consider that a risk."
'Experts' with Questionable Backgrounds
Several of the respondents point out that the shortage means organizations are hiring people who don't have the right cybersecurity skills. "We are seeing lots of people proclaim they are security professionals, but do not have the skills, education or experience ...," says Daniel Miller, national practice leader in Grant Thornton's cybersecurity and privacy business advisory service. "The lack of security professionals means that there is a greater risk of breaches of information for organizations without security professionals there to ensure that external and internal infrastructure is secure and that information in general is well protected."
Eugene Spafford, executive director of the Purdue Center for Education and Research in Information Assurance and Security, picks up that theme: "It tends to allow those with questionable backgrounds to portray themselves as 'expert' in the field - without competition or comparison, some of them are undoubtedly being employed."
Yet, it's not just employing the unqualified that poses problems for organizations, but the misuse of limited personnel that have the right stuff. That's because many organizations approach cybersecurity as a tactical and technical problem rather than a strategic and managerial one.
Plugging Holes, Running Behind
"As a result, the security personnel are constantly plugging holes and running behind," says Scott Borg, director and chief economist at the U.S. Cyber Consequences Unit, an independent, non-profit research institute. "Instead of building security into systems from the early planning stages, when it is more efficient and less expensive, organizations tend to add cybersecurity as an afterthought, when it is inefficient and costly.
"Instead of giving security professionals enough scope and authority to propose better solutions, they expect them to cope with difficult situations created by managers who never thought about the security implications of what they were doing," Borg says. "What's more, after focusing so exclusively on patching vulnerabilities, many security professionals have no idea how to take a more effective, strategic approach. The resulting inefficiencies from a business standpoint are staggering."
Taking a strategic approach means organizations could turn to technology when they can't find qualified personnel to hire. "In order to keep up with the rising threats, we need to automate more," says Tomas Soderstrom, chief technology officer for IT at NASA's Jet Propulsion Laboratory. "Hence, we're spending time and money on automation tools that can filter, so that the IT security professionals can focus on the areas that are real threats. This will help to mitigate the need to hire more personnel."
Solving the Skills Shortage Problem
But tools can only go so far in replacing in-house skills. At the moment, it's a seller's market, and those with the right skills demand top dollar. "Right now, professionals with special qualifications can command high salaries and are heavily recruited," Purdue's Spafford says. "Companies that want to attract and keep these people need to provide positive benefits. This presents a great opportunity for junior people in the field - including recent graduates - to get meaningful, early employment. However, it also means they are often learning as they go about some issues, and prone to mistakes. Employers need to understand this dynamic."
Yet, organization could end up with what they're paying for when they employ recent graduates. "Many corporations seem to think that it's more of a bargain to hire young cybersecurity people, just out of school," Borg says. "This is a mistake, because one highly skilled senior expert can often accomplish as much as a dozen or more less experienced ones."
Borg sees an irony that the relatively few unemployed security professionals are among the most experienced. "They are not hired quickly when they leave past jobs because their salary levels seem very high," he says.
Innovation as a Selling Point
Still, salary isn't just what information security professionals seek when they look for a job. A challenging work environment with opportunities to enhance skills prove to be as important, if not more so, than the size of the paycheck.
"Programs that are innovative in their approach will gain the interest of security people," says Eddie Schwartz, vice president and CISO at security provider RSA. "If you are asking security professionals to do the same work they did 10 years ago, they will look for something else, regardless of the comp. But if you are turning security on its head, rethinking security models to use big data and intelligence-driven approaches, security pros will see these organizations as innovative and cool, and as places where they can grow their personal value."
Steve Cooper, acting CIO at the Federal Aviation Administration, says the FAA provides specialized training for all its IT security personnel. "We actively encourage and support participation in training, networking events for government and industry, educational seminars in IT and cybersecurity," says Cooper, who served as the first CIO at the Department of Homeland Security. "We also have sought out agreements with academic institutions and universities, like the National Defense University's iCollege to have our IT security personnel take courses, and more importantly, act as guest speakers in classes and academic forums. We have gotten positive feedback from our workforce that this experience attracts them to our agency."
Enjoying Fruits of Their Labor
For some organizations, appealing to prospective employees' desire to make a difference in society can attract qualified personnel in a tight job market. "Every day when I go to work I feel good that the fruits of my labor help protect the citizens of the state of Minnesota," says Chris Buse, Minnesota's state CISO. "I also like the fact that working in government gives you an opportunity to do security on a very big scale. All of us who are leaders in government security need to do a much better job actively marketing why a choosing a career in government security is the best decision, despite the fact that our salaries lag somewhat behind the private sector.
"Granted, there always will be a certain percentage who will jump ship to earn a few more dollars," Buse says. "But I am fine with letting those people go, because I want to build my franchise around players whose passion runs deeper than money. And that is the very pitch that I will be making this month to college students at the University of Minnesota and at one of our state universities, because if they hear the truth about working in government directly from me, I know that the message will resonate."