peshkova - Fotolia
The security hiring shortage is still a very real problem facing the industry. While people looking to enter the security field need to take certain steps, some in security argue that enterprises need to change their expectations of job candidates. If this "beggars can't be choosers" principle is true, what should enterprises look for when hiring security staff? Should companies put less focus on cybersecurity skills?
Should companies put less focus on cybersecurity skills? In a word -- no. Whether an organization hires the skills, outsources for them or builds them, it still needs cybersecurity skills to stand toe to toe with today's onslaught of cyber threats and attacks. Companies can play the odds by choosing not to take any action at all and hope it does not result in them being a casualty, but this puts future employment on the line, as well as putting the enterprise at risk.
Admittedly, according to the 2016 State of Cybersecurity Report by ISACA, the 842 participants polled see the skills gap among today's cybersecurity professionals in their ability to understand the business (75%), good communication skills (61%) and technical skills (61%). The same report states that an average of 60% of respondents feel that half of cybersecurity applicants are qualified for hire.
From the 414 group of teenage hackers in 1983 to today's state-backed hacking groups, such as those in Russia and China, cybersecurity threats have become more sophisticated, deliberate, successful and damaging. Until the day that cybersecurity becomes available in a single microchip, the need for cybersecurity professionals will continue to rise.
Hiring cybersecurity skills is one way to deal with the shortage. Companies can hire using search firms that understand cybersecurity, IT risk, information systems audit and GRC landscapes. They can also seek the help of independent, knowledgeable firms -- such as the Big 4 or cybersecurity professional services firms -- to vet the right candidates. There are candidates available, but know that these come with a price tag.
Outsourcing is another option. Transferring cybersecurity to a service provider does not completely transfer the company's risk or liability. Outsource the most technical aspects of security monitoring and detection and maintain follow-up and reporting to existing staff. This will allow them to develop proficiency if the company decides to bring these skills back in house.
Companies can also build cybersecurity skills. If hiring and outsourcing are too expensive or difficult, the company needs to build security in house. Keep staff with aptitude, work ethic and the desire to learn. Send them to SANS, ISACA and Information Systems Security Association training courses and seminars to develop their skills. Have them seek certifications such as Certified Information Systems Security Professional, Certified Information Systems Auditor, Certified Information Security Manager and other SANS skills-based certifications. Once they have identified their niche, have them take performance-based certifications, such as Offensive Security Certified Professional, Certified Ethical Hacker and GIAC Certified Penetration Tester.
There is a fourth option -- do nothing about the cybersecurity skills shortage. Although not advisable, companies could take the risk and decide to remediate and take the loss if it feels the cost to implement the skills would be higher. If it is a private company with a modicum of risk, this could be a viable option until it finds out for sure when a real breach occurs. Companies could put less focus on cybersecurity skills, and since the IT staff understands IT, shouldn't they also understand cybersecurity? Carefully consider finding out.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Could hackers be the answer to the cybersecurity skills gap?
Find out some tricks for finding and keeping employees with the right security skills
Learn why technology has to play a bigger role in security and networking skills
Dig Deeper on Information security certifications, training and jobs
Related Q&A from Mike O. Villegas
As ransomware continues to surge, companies are faced with decisions to report the attacks, pay the ransom or both. Experts weigh in on the options ... Continue Reading
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading