Closing the Enterprise Security Skills Gap

The security skills gap has become a topic of acute interest among practitioners responsible for building security teams for their organizations — and keeping them running smoothly. It impacts everything from how they staff, how they cultivate and develop their workforces, and how they train, to the operational controls they put in place, and potentially numerous other things about their security programs.

The term “skills gap,” in a nutshell, refers to specific challenges organizations have confronted over the past few years in finding and retaining competent, trained resources for security efforts. It is a measurable trend across the industry as a whole.

For example, it takes most organizations (54 percent) more than three months to fill open security positions, the recently released 2018 ISACA Global State of Cybersecurity Survey found. That figure is consistent with its prior year’s findings.

In terms of the skills in highest demand, technical skills are the most difficult to find, and the level of position being sought is individual contributor rather than managerial in nature, the ISACA data suggest.

While these data points are interesting in and of themselves — for example as a generic barometer of staffing considerations in security as a whole — they also are important in ways that may not be intuitive. At least, that’s true for savvy practitioners. That is, the report serves as an tool for security managers to benchmark their own staffing performances.

The fact that the skills gap exists and is being measured by numerous parties outside your organization means that the measurements you take about your own team can be compared directly to an objective, organization-agnostic benchmark. How often do opportunities to do that arise?

Say you’re planning your daughter’s birthday party and you’re thinking about serving ice cream. If your daughter doesn’t like vanilla, how much would it influence your decision making about which flavor to buy if I told you that vanilla was the most popular ice cream flavor in the world? Or that it was the most popular flavor in the U.S.? Both of those statements would be true, but would that matter? Not at all, right?

Are You Keeping Track?

The point is that both types of information can be useful. Understanding the broader trend is important because having that can help you plan more effectively. For example, knowing that it might be challenging to staff up certain skills (e.g., technical skills) might cause you to invest in strategies to maintain talent you already have in order to minimize attrition.

Further, that knowledge might prompt you to invest in strategies that let you creatively cultivate new team members in unconventional ways (e.g. through internships, “externships,” or other avenues), or invest in strategies that automate some processes.

There could be multiple viable options, but picking the one that is right for you is dependent on having some clue about what is going on in the first place.

However, understanding the broader trend in the context of how your team specifically performs is exponentially more valuable. Why? Because it lets you evaluate how the strategies you invest in are playing out. For example, if you decide to serve ice cream (vanilla or otherwise) every Friday to help make the workplace more fun, is it a useful talent retention strategy? Who can tell if you’re not measuring the outcome?

Benchmarking your own staffing efforts relative to peers, while valuable, does take a bit of legwork. It means, first of all, that you’re keeping track of performance metrics relative to staffing considerations (“temet nosce” — know yourself).

It likewise means that you’re keeping an eye on data sources available externally — that you have some degree of situational awareness of staffing issues.

Neither of these things are rocket science, but you’d be surprised how frequently security managers (even CISOs and CIOs) don’t track things like turnover, open headcount, time to fill positions, staff training goals/needs, and so forth.

It’s not that they don’t want to — it’s just that doing so is less of an operational priority than more tactical considerations — like dealing with the threat du jour, or deploying operational tools.

Remember the triad of people, process and technology? Each one is an important pillar in organizational performance. An advantage in any one of these areas means an advantage relative to peers overall. Those who can’t find staff, who have sub-par staff, or who otherwise have an ineffective or operationally deficient staffing strategy are at a disadvantage, while those who excel in these areas have an advantage.

Taking It Forward

As a practical measure, what can organizations do to make sure they’re developing their teams in a competitive way? There are a few things that can be helpful:

  1. It is a good idea to keep track of some metrics about staffing — both your organization’s ability to bring in new folks and to retain existing personnel. The few metrics I listed above are a useful starting point, but they are by no means the only possible options.

    You might want to track softer instrumentation, like staff perception about opportunities for advancement, fun in the workplace, and overall job satisfaction. These things can be correlated to harder values like turnover rate in a particular area, or other metrics that are more outcome-focused. The specific choice is up to you, of course, but the fact that you’re tracking something will give you data that can be honed and explored over time.

  2. Trending information can be valuable. In fact, it’s so important in terms of your ability to correlate measures you implement to specific goals and outcomes that it’s often better to have less specificity in terms of what you measure but a higher frequency of doing so.

    For example, if you’re experimenting with a new training regimen, you may find it more useful to assess the perceived value of the training more frequently (which allows you to get more real-time feedback and potentially pivot if you’re not getting what you want) vs. doing a more in-depth exploration of employee perceptions less frequently, perhaps once a year.

  3. It’s useful to solicit partners. HR organizations often do an employee satisfaction survey or engagement survey, for example, or use another measuring instrument (or combination of them) to benchmark employee perceptions of the organization at large.

    Leveraging this data where it already exists can provide useful data points that can help security leaders build the best teams and — maybe even more importantly — retain the resources that have proven so difficult to replace.

Ed Moyle is general manager and chief content officer at Prelude Institute. He has been an ECT News Network columnist since 2007. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development. Ed is co-author of Cryptographic Libraries for Developers and a frequent contributor to the information security industry as author, public speaker and analyst.

You Might Also Like