Over the last year, I (along with others on my team) have received numerous inquiries regarding a “talent crisis” that is brewing in the information/cyber security industry. Organizations continue to have critical security needs but cannot fill them because of a perceived lack of qualified candidates available. The U.S Bureau of Labor Statistics recently pointed to hundreds of thousands of unfilled cybersecurity-related jobs in recent years. Other reports by various cybersecurity vendors advise leaders that the average time to fill a position is closing in on nine months. Of course, escalating salaries aren’t helping this cause and demand is continuing to rise.
I do not doubt the accuracy or scope of the above assessments. In fact, I am co-authoring a research note* (to be published next month) that accepts this reality and provides short and long term actionable advice for Gartner clients. One of the many angles this research will tackle is our industry approach towards “talent”.
When looking at various job postings, I noticed the long list of requirements that an organization looks for in a candidate. A notable example was a Security Architect posting that was partly responsible and accountable for performing scheduled VM scans. Another example was that of a Cybersecurity Analyst posting that was deemed entry level but required a CISSP and 5-7 years of experience.
This approach does not work. Organizations often feel pressured to take this route because they suffer from various unfilled security needs and as a result, cram all the responsibilities required into one role. This approach does not fill your candidate pipeline effectively nor does it attract candidates who may be able to do less for more elsewhere. The question to ask yourself is — Does your Security Architect really need to do VM scans or a threat analysis? Is having a CISSP critical for that person’s success in the role you envision?
We must abandon this traditional approach and look for more creative and innovative ways to build a cybersecurity workforce. As we face and accept the risks of digital business, we should analyze whether we are looking in the right places for talent.
A good number of security professionals that I speak to, come from a non-security background and are indulged in the business aspects of security. Perhaps, there is that one bright person in one of your many business units that has shown a knack for security. Instead of requiring a veteran that is CISSP certified who demands a premium pay, why not train this internal person for the skills required? If this person does not exist in your organization, have you looked to collaborate with local universities and communities to attract students/millennials that can be trained to help do many of the tactical things that we often require experts for? Have you looked to create platforms/opportunities for women to balance the gender disparity in information/cyber security that has long been dominated by males? How about other untapped talent segments like veterans?
Ultimately, the talent is available to combat this shortage… are YOU looking in the right place?
*If you are a Gartner client, you will have access to our full research note that details a number of approaches and recommendations along with a framework that organizations can use to assess and close the talent gap.
Read Complimentary Relevant Research
Five Golden Rules for Creating Effective Security Policy
Policy writing is a risk communication exercise that is frequently performed by people who lack the skills needed to create good security...
View Relevant Webinars
Office 365 and Google Apps for Work: Security Comparison
Google Apps for Work is increasingly a viable option for many businesses as a replacement for Microsoft Office. As CISOs consider their...
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.