SAN FRANCISCO – The latest research from the information security industry's top professional development organization indicates the security workforce shortage is only worsening but an increased effort to hire millennials can go a long way toward closing the gap.
During a panel discussion Monday at RSA Conference 2015, (ISC)2 offered the first detailed look at the results of its newly released 2015 Global Information Security Workforce Study, which queried more than 14,000 respondents worldwide on the trends and opportunities within the information security industry, particularly in regards to hiring and training.
Based on (ISC)2 projections, the security industry will have a workforce gap of as many six million open positions by 2019, according to Frank Dickson, research director with Frost & Sullivan, based in San Antonio, Texas.
The problem, Dickson said, is that while demand for trained, experience infosec pros increases at a startling rate, supply is increasing much more slowly.
"It's having an impact on the infosec workforce, on the organization as a whole, on security breaches and on our customers," Dickson said.
Highlighting the challenges companies face, (ISC)2 found that while more than three-quarters of respondents said they are satisfied with their current position, the industry experienced a staff turnover rate of almost 20% last year, the highest rate of churn (ISC)2 has ever recorded.
Dickson said infosec salaries increased by nearly 5.8% since last year to an average of just under $100,000. The ability for those with training and experience to quickly raise their salary by changing jobs is an attractive proposition, he added. At the same time, enterprises are increasingly desperate for infosec talent. According to (ISC)2's survey data, 62.2% of respondents indicated their organizations do not have enough staffup from 55% two years ago; 45% of those surveyed said their organizations cannot fill the positions because they cannot find qualified candidates.
"The [workforce] gap is rolling on top of itself," said Julie Peeler, foundation director for (ISC)2, "to the point where it's becoming exponential."
Enterprises must attract millennials to security
However, the workforce shortage can be eased if organizations make a more concerted effort to recruit and hire millennials, according to several experts who participated in the panel discussion.
Elise Yacobellis, director of global development for (ISC)2, said only 6% of today's infosec workforce is under 30 years old, and while that can in part be attributed to the industry's need for experienced workers, it's also because enterprises haven't made specific efforts to position security as an attractive career option to younger workers. However, she noted, doing so requires a different approach.
"If you look at the millennial workforce," Yacobellis said, "they want flexible hours, and they want to see their jobs as something they do, not some place they have to go, and that's a mindset that has to change in a lot of organizations."
Peeler said part of making security an attractive career to millennials means educating them about security as a much younger age, as early as elementary and middle school, which will help the general population understand the importance of security in their daily lives.
"Early education needs to be reading, writing, arithmetic and security, starting in grammar school," Peeler said.
The also report shows how millenials want other benefits not related to their salary.
Surprisingly, the (ISC)2 report details how non-compensation-related issues have a huge effect when it comes to retaining millennials, according to Dickson.
"The vast majority of them live in five states, and you don't realize that," Dickson said, "so things like flexible hours and location are redefining how you look at these job."
Angela Messer, executive vice president of the strategic innovation group at Booz Allen Hamilton, said enterprises should seek to implement dynamic programs for hiring, training and retaining infosec pros. Those programs should include partnerships with colleges and universities, ongoing training opportunities, regular job rotations that provide the opportunity to learn different skill sets, and the opportunity to do meaningful work and serve a higher purpose.
"The U.S. Army is looking at training cybertalent, employing them in civilian sectors, but then also keeping them active in the reserves," Messer said. "Training them that way keeps them in the industry and evolves their skillset. People are leaving jobs because they aren't being constantly challenged and they need to feel connected to the organizations."
Conference attendees attest to the problems the industry is now experiencing as issues surrounding hiring and retaining a talented security workforce plague organizations.
Many information security managers are aware of these issues, said attendee Kevin M. Lindenau, a New Jersey-based application development manager for UPS. The problem for the industry lies in getting senior management to understand them too, he added.
"I can educate myself all I want, but if senior management isn't listening and supporting these initiatives, it doesn't do any good," Lindenau said. "There has to be a strategy the leadership develops for the company, and then be brought to the employees."
Other challenges such as company location and competitive IT hiring dollars can hinder businesses from hiring qualified infosecs.
Attendee Noel Koperczak, senior manager for systems security for Fisher, Indiana-based Navient, said his organization faces challenges for recruiting talent by not being based near a large city. Security in many firms also compete with hiring dollars with other parts of the IT organization, he added.
"The recent breaches have given us a little push in terms of security hiring," Koperczak said. "A strong desire among corporate boards [of directors] to stay out of the headlines really helps."
Read more on the basics of information and cybersecurity certifications
Learn more about vendor-neutral security certification to boost your career path