How smart CISOs are closing the cyber­security skills gap

From in-house training to veteran recruitment, CISOs are finding new ways to build the right team

cybersecurity skills gap
  • Roughly 1.5 million cybersecurity jobs will go unfilled in 2019
  • New AI and automation tools are exacerbating the problem because they require new skills to manage
  • CISOs have many options to fill critical openings and develop the right skills

When it comes to hiring cybersecurity specialists, recruiters can spice up job descriptions and sweeten offer letters all they want. They still aren’t likely to attract enough qualified candidates to fill open positions.

The skills and talent gap in cybersecurity is real, and it’s not going away anytime soon. The field expects 1.5 million unfilled security jobs worldwide in 2019, up from 1 million in 2016, according to PwC. The cybersecurity talent shortage is taking a toll: Many companies can’t keep up with basic security patches, even though unpatched vulnerabilities cause the majority of corporate data breaches.

Widespread adoption of security automation tools and deep learning techniques, such as those used to predict cyberattacks, often aggravates the problem. These tools can make some tasks (such as monitoring security alerts) easier and less labor‑intensive, but they also demand different skills, like the ability to train machine‑learning models.

These pressures are forcing chief information security officers to get creative. Common solutions include retraining existing security workers, recruiting IT personnel and adding cybersecurity to their skill sets, or looking for security talent in non‑traditional populations such as military veterans and people on the autism spectrum. In some cases, CISOs are doing all of the above.

Here are some of the techniques companies are deploying to narrow the security talent gap.

1. Getting outside help

The most common tactic is simply beefing up the skills of existing cybersecurity teams. Ninety percent of IT leaders provide technology skills training to existing employees, according to a 2018 Robert Half survey. The survey found that cybersecurity was the No. 2 most in‑demand skill, behind cloud computing.

Because security needs are changing constantly, some companies opt to bolster cyber skills by teaming up with outside trainers. The SANS Institute, which provides security training and education, creates “custom academies” to deliver training customized for a company’s needs. SANS builds out the curriculum, creates the classes, and helps students obtain necessary certifications. Students may be career‑changers within the company or come from outside groups, such as veterans’ organizations.

The academy approach is one way to get around the shortage of experienced candidates for cyber security roles. Even for entry‑level jobs like security analyst, companies typically want at least a year of experience. “But there are only so many people in the workforce like that,” says Max Shuftan, the security program director for SANS. “Companies have to get innovative if they want to hire people.”

Global security company Fortinet, which needs a steady stream of security experts for its business, spotted a business opportunity in training employees from other organizations. The company established Fortinet Network Security Academies at several educational institutions in the U.S. and Canada. The academies provide training and certification curricula to educators, who then create classes for students. Fortinet helps instructors keep classes up to date and supplies hardware for lab classes.

Students graduate with certifications and training on Fortinet products, but also basic grounding in general network‑security skills. Fortinet hires many program graduates. The rest are usually snapped up by other companies.

2. Flexible training

When it comes to retraining existing staff, companies typically need courses that provide flexibility around work schedules and don’t require a two‑ or four‑year commitment.

AT&T partners with the Georgia Institute of Technology and Udacity, the online‑learning company, to offer a computer science masters degree that includes security training. The degree program is fully online so that workers can fit their coursework around their job demands. In many cases, AT&T picks up the tuition cost for employees.

Some employees aren’t looking for a degree program. Instead they just want to sharpen their security skills. AT&T worked with Udacity to create online “nanodegree” programs, which take less time to complete.

“People who are well‑employed in a job are usually not ready to leave for school,” says Norman Sadeh, professor of computer science at Carnegie Mellon University and co‑director of CMU’s Privacy Engineering Program. The university’s Heinz College of Information Systems and Public Policy created a six‑month CISO certificate program along with an eight‑month CIO program.

3. Expanding the talent pool

Many companies find that upgrading the skills of existing security employees still isn’t enough to narrow the cybersecurity skills gap. So they look further afield. In some cases, the answer is close at hand: the IT department, where tech talent is relatively abundant. “There are a lot of transferable skills,” says Fortinet’s Rob Rashotte, vice president of global training and technical enablement.

More companies are merging their network and security operations centers. With the right training, networking pros can be assigned to security roles. Fortinet has encouraged this kind of crossover internally. Its NSE (Network Security Expert) Institute training classes attract IT employees at other companies who want to bone up on security.

Another potential source of security talent is the military. NTT Security, which provides cybersecurity and risk management services, has used SANS’s CyberTalent Immersion Academy to hire veterans from Offutt Air Force Base, close to the company’s Omaha, Neb., offices, for cybersecurity specialist and security analyst jobs. The company sought veterans with high aptitude and certificates from the SANS academy, Shuftan says.

Even veterans who lack traditional cybersecurity skills can be promising candidates for security training, says Art Langer, founder of nonprofit Workforce Opportunity Services (WOS), which helps reskill people from underserved communities. WOS recruits veterans with IT and networking backgrounds, and provides training in interpersonal communications and other soft skills they’ll need in the business world.

“Everyone in the military gets a vocational education in some area, so they’ll have skills when they come out,” says Langer, who’s also director of the Center for Technology Management at Columbia University. “That often includes some exposure to the cyber world.”

WOS generally trains veterans at the request of companies like HP, Johnson & Johnson, and Prudential Financial. The companies communicate their staffing and skills needs to WOS, which looks for matches, such as networking and IT skills, among its veteran talent pool. The hiring company then provides on‑the‑job security training for new recruits.

Another potential source of security talent is a population whose skills have often been overlooked: “neurodiverse” workers, such as those on the autism spectrum. They often have superior pattern‑recognition skills and are able to focus intently on projects for long periods of time—skills that are sorely needed on security operations teams.

EY, the global professional‑services firm, is recruiting and hiring neurodiverse people for cybersecurity roles through its Dallas‑based Neurodiversity Center of Excellence. “Neurodiverse people are often extremely analytical and are good at examining complex sets of information,” says Dave Burg, EY’s cybersecurity leader for the Americas.

Bottom line? If you want to close the cybersecurity talent gap, hire for aptitude over what’s on the resume.