The cyber talent crisis
By By Megan Brister and Winnie Chan Deloitte
Globally, companies are facing a 22 per cent vacancy rate for cyber security talent – levels not seen since organizations needed Y2K programmers in 1999 (Scheiner, 2015). While this poses a tactical challenge for chief information security officers (CISOs) to execute on their cyber security strategies, it also presents a significant business risk for companies. The talent shortage means organizations have a smaller bench to address advanced threats and are taking longer to implement their cyber strategies. Organizations are, as a result, slower to detect threats and are left vulnerable longer.
By By Megan Brister and Winnie Chan Deloitte
The statistics align with what many organizations are experiencing on-the-ground in recruiting cyber talent. Organizations have seen a significant spike in competition for strong cyber candidates at all levels – particularly in the last two years. At any given time, there are hundreds cyber security-related jobs open to candidates and organizations are aggressively pursuing the same talent pool.
Challenges of the talent deficit
The cyber talent shortage creates challenges for organizations that go far beyond lack of staff. Practitioners with the security expertise to analyze events and hunt for patterns that may indicate an advanced persistent threat are difficult to come by. As a result, organizations continue to rely on traditional, signature-based methods to monitor threats. These traditional methods detect known threats in real-time, but are largely ineffective in detecting advanced threat actors who are well-organized and funded. These threat actors conduct reconnaissance over several weeks or months in order to carry out large scale attacks from which they can profit financially and which damage the target organization.
Organizations are also putting junior security professionals in more senior roles due to the lack of available talent in this industry. New CISOs must learn the operations of the business, determine the criticality of assets and information, and understand and address business risks in order to be effective. This is a big job for a junior security analyst and requires organizations to make the right support and learning available to the individual in order to ensure her or his success.
Lastly, organizations are re-purposing roles in the hopes of transitioning technology, compliance, or data protection staff into CISO roles or other security positions. This strategy requires significant investment in training, job rotation, and job shadowing to be successful.
Complicating the competition
The EC-Council that offers the Certified Ethical Hacker certification found that the average salary for certified ethical hackers is approximately $71,331 per year. A hacker can buy a banking Trojan and the exploit and a spam mailing to spread the malware around for approximately $3,000 and expect a payout of an estimated $72,000. (Kaspersky Lab, 2014)
How organizations are responding
Organizations are responding to the talent shortage in a number of different ways. Recruitment teams are building relationships with passive and active candidates in the market to develop talent pipelines to meet immediate as well as future needs. These “warm” pipelines help recruiters to fulfill security needs as soon as cyber projects are approved – and keep a pulse on who is available in the market.
More organizations are focusing on campus recruitment, not only to meet long-term cyber talent needs, but also for short-term requirements. A robust campus recruitment program can provide organizations with a steady stream of talent each year and for future years. Offering training and mentorship programs to these new graduates enables organizations to grow their cyber talent within and gives them greater control over succession planning and forecasting.
Employers are also focused on creating a cyber-ready work force at all levels, with boot camps and training programs targeted for CISOs or those rising through the ranks to one day take on the CISO role. “Deloitte understands that organizations need their CISOs to hit the ground running. We use an intensive one-day CISO Transition Lab to help a CISO develop a plan for success and give focus to her or his first six months,” says Marc MacKinnon, who leads Deloitte’s security management, privacy, and resiliency practice in Canada.
Organizations are also outsourcing more often – especially when it comes to security operations that required 24×7 staffing and are put at risk when security staff leave. Outsourcing means that organizations can gain access to a continuously trained bench of security experts. The issue of attrition is a risk they can transfer to the firm or vendor.
Security professionals often do not fit the typical mold, causing organizations to rethink career progression and incentives. The traditional model of moving from analyst to management is not an end goal for many security professionals, who may be more interested in working with new technology or interesting cyber problems. “These are not people who want to occupy the corner office. Organizations are adapting their incentives and performance metrics to ensure cyber security professionals are motivated to stay and to move up,” says Nick Galletto, Deloitte’s cyber risk leader.
Other incentives that organizations are offering include the ability to work entirely from home and flexible work hours. Mentorship programs are also highly desirable. Compensation cannot make up for the learning opportunity to be mentored by or work alongside someone who is recognized as a leader in her or his field. Providing a variety of challenging work projects is also attractive to cyber professionals who are passionate about cyber security and are keen on continuous learning.
In light of this frenetic environment, organizations need to do more than rely solely on recruitment as a way to meet their talent needs. A combination of strategies should be considered, including growing talent from within, CISO-specific training and enablement, outsourcing, and investing in campus recruitment to maintain an ongoing pipeline of future talent. While organizations cannot control the cyber skills shortage in the external market, they can take action to address their talent needs and – most importantly – mitigate their cyber risks.
About the authors
Megan Brister, CISSP, PMP, SABSA, is a cyber security professional in Deloitte’s cyber risk services practice, with more than 15 years of experience helping organizations understand their cyber risks, balance investment and risk, and develop transform their cyber security programs and people.
Winnie Chan is a talent acquisition manager at Deloitte and has more than 10 years of experience in the professional services industry, with a diverse background in talent advisory, campus recruitment, and experienced hire recruitment.
Schneier, Bruce (2015). Bruce Schneier on Security, 2015 Predictions and Trends Webcast