The world of information security is suffering from a workforce shortage, with the Center for Cyber Security and Education projecting a gap of 1.8 million people by 2022. Failure to address this shortfall will result in many organizations leaving security doors open, and a threat only needs to find one door ajar to cause problems.
The skills shortage has been brought about by the rapid expansion of the information security function. A huge range of roles are needed to secure the doors that protect an organization’s information.
Many of those already working in information security have come from a technology-focused background, leading the industry to be perceived as highly technical. However, extending beyond the technology component are governance, risk, compliance, people, and process. There are arguments for some of these components to be led by separate functions (for example, information risk in organizational risk, or technology within IT). Nevertheless, all components have an impact on information security. This broad range of roles, alongside rapidly evolving information security workforce expectations, has undoubtedly contributed to the workforce shortfall.
Organizations should already be considering ways of attracting and retaining the information security staff they need to secure the enterprise and its information. This is not about throwing money at the problem (there’s little money to throw around, after all), but instead about developing strategies and plans to understand the expectations of the workforce over the next two to three years, determining the extent to which existing staff (permanent and temporary) can fulfill these expectations, and identifying the gaps that need to be filled. Vendors are doing their bit to help enterprises with the workforce shortage, and increased automation in information security tools is a significant focus.
A combination of retraining, internal and external recruitment, and retention strategies will support enterprises in assembling an information security workforce capable of defending the organization’s information from the wide range of threats that could do harm.
Straight Talk is a weekly briefing from the desk of the Chief Research Officer. To receive this newsletter by email, please contact us.