The people, processes and technology that protect digital resources and manage cyber risk are essential to sustaining businesses and societies. Even so, in many enterprises, CEOs are just beginning to fully engage in cyber security strategy and leadership. The good news is that these executives are paying much more attention to the security measures protecting their organisation’s assets, data, employees and customers than ever before. The cautionary tales, doomsday scenarios, and the threat of public embarrassment have made an impression.

However, senior executives at organisations of all sizes still understand that the global economy is not adequately protected against cyber-attacks, despite years of effort and annual spending in the multi-billion-dollar range. Added to that, shortfalls in cyber skills and capabilities are manifesting as major security incidents damage organisational performance and reputation.

Building tomorrow’s security workforce is indispensable to address this challenge and deliver robust and long-term security for organisations in the digital age. Filling the cyber skill shortage will require CEOs, and other executives, to change their attitude and approach to hiring, training and participating in collaborative pipeline development efforts. An overly rigid and traditional approach to identifying candidates, coupled with over-stressed and under-staffed work environments, is undoubtedly in need of new tactics. Organisations that fail to adopt a more creative approach will find themselves dangerously shorthanded in the next few years, as both attacks and defensive measures become more complex.

“Organisations that fail to adopt a more creative approach will find themselves dangerously shorthanded in the next few years, as both attacks and defensive measures become more complex.”

The Development of the Security Workforce
The security workforce, typically defined as the personnel responsible for an organisation’s information security activities, has evolved rapidly since its inception. The information security function often exists only as part of another associated business function, such as: risk, technical IT operations, legal and or audit. It can be identified as information, cyber, assurance, or operational security. It can also report into various business units, including finance, risk, governance, or IT.

Over the course of its evolution, the lack of a consensus definition of the information security function has allowed numerous, disparate components to form an organisation’s security workforce. For example, employees working within threat intelligence, business continuity, and security operations are all essential information security contributors, yet they rarely convene in one distinct function under a designated leader.

The Time to Close the Gap is Upon Us
Closing the gap between supply and demand is imperative for an enterprise to develop an effective security posture. It is evident that individuals with the required skills, qualifications and experience are either unavailable or demanding compensation that cannot be met with existing budgets. Because they are in high demand, talented security staff regularly move to new employers as they seek out better salaries and projects at more prestigious companies.

But is this inevitable? Are hiring managers so inflexible in requiring candidates to have specific skills, qualifications, and years of experience that they end up hindering their security teams? Are uninformed and unimaginative recruitment practices contributing significantly to the perceived shortage? As salaries escalate, organisations are urgently seeking a solution to the perceived crisis around hiring information security professionals.

To address the growing demand, organisations should extend their approach, and work persistently to recruit security professionals from a diversity of backgrounds, disciplines and skill sets. Focus on the ability and attitude of candidates rather than insisting on a host of specific skills, experience and qualifications that would eliminate a large portion of current and prospective information security professionals.

Developing Tomorrow’s Security Workforce
Increasing reliance on digital systems, coupled with a dynamic threat landscape, has made the security workforce core to an organisation’s survival. But for many enterprises, developing a sustainable security workforce is only an aspiration: attracting and retaining experienced, certified security experts is a constant battle.

Organisations need to establish a series of strategic objectives that lay a foundation for a stronger workforce and more robust pipeline. With clear direction and sustained HR efforts, organisations can formalise the structure of the security workforce, harness the appropriate talent, and bring security teams into better alignment with the organisation’s security objectives.

As the security workforce matures and finds innovative ways to embrace the vast resources of untapped talent, the exaggerated myth of a looming crisis in the global security workforce. A robust and diverse security workforce will empower organisations to face future workforce challenges, such as automation, role and function amalgamation, and increased outsourcing. At the ISF, we are seeing members already demonstrating success at cultivating teams with the necessary skills and expertise in progressive and engaging environments.

A sustainable security workforce is essential if the information security function is to become a partner to the business and effectively manage the increasing cyber risk and security burden.

About the Author
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security, digitalisation and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.