Everyone in the cybersecurity space can agree that we are in the midst of an enormous skills shortage. ISACA predicts that we will be short two million cybersecurity professionals by 2019.
Nearly 72% of firms say they are finding it difficult to identify and hire high caliber cybersecurity professionals, according to a survey by Booz Allen Hamilton. With no clear options and a massive talent need, security and IT leaders need to create the desired security skill set within their existing employees.
Many seem to think that the skills gap is simply a bi-product of digital transformation. While that is certainly a contributing factor, I believe the gap has always been there. Only now, with increasing public breaches companies are starting to feel it.
The average user has a myriad of different user accounts, and every server has a complex set of configurations. Each one increases exposure, likelihood of human error and could potentially be exploited by a cyber-criminal. All it takes is one slip up to wreak havoc on your organization. This increase in vulnerabilities demands a corresponding increase in manpower to secure the environment.
The profile of a modern security hire
However, the skills gap is widening as cloud platforms demand an increasingly complex set of cloud SecOps skills. The profile of a security hire has transformed along with development practices and modern infrastructure.
Today we require personnel not only with technical expertise but also the ability to communicate across the business and balance the needs of multiple stakeholders, from product line managers to ops teams.
Today’s candidates need a combination of DevOps, security, and cloud experience. Finding recruits who check all these boxes is a time-consuming exercise with low yield. This being the case, you would think that the security community would try to come up with creative solutions. Unfortunately, businesses are too often focused on their short term needs. They try to throw money at the problem, offering higher than average salaries to the few qualified candidates in order to poach them away from one another.
Invest in developing internal security skill sets
A far better investment of the community’s time and resources is apprenticeship programs. Apprenticeships allow security leaders to proactively draft and develop the security talent from within and groom them into the cloud SecOps roles that the business needs.
Stealing security talent from other vendors is simply avoiding the issue, and as a community we cannot afford to kick this can down the road for much longer. We need to devote our resources to training, both internal and external, so that we can grow security talent and plug the skills gap.
At Outreach, we’ve leveraged our company-wide apprenticeship program to grow two recruits into successful security professionals. We kicked it off with one recruit - an internal developer. He had no real background in the discipline. What he did have was passion and the aptitude to take on the complexity of cloud security. I leveraged his engineering skills and internal relationships to partner even closer with our Engineering and Product teams.
Our second recruit originally came from our inside sales team! Yep, you read that right. He joined my team as an IT admin and got a taste for the importance and excitement of cloud security. We sent him through an internal and external training program; and we also partnered with key technology vendors, in this case cloud security and monitoring vendor Threat Stack, who helped train our apprentice on how to use their tools and grow into his new security analyst role. The next thing we knew we had a young professional at the beginning of a very promising career in cybersecurity.
There is an opportunity for companies to implement similar programs and create a sustainable solution to the cybersecurity skills gap. For every engineer we’ve put through our apprenticeship program, even when it hasn’t worked out, we’ve still received three months of good work from them which has helped with internal security awareness.
Let's embrace the talent we already have and get them into apprenticeships early in their careers while they’re still malleable. If we devote our resources to drafting and developing security talent, we can build the workforce we need.