A growing shortage in security professionals with skills is creating a seller’s market, experts said.
As the growing gap between supply and demand is creating problems for many enterprises and may cause some to cast a wider net in search of talent, the security industry will need to add nearly two million jobs during the next three years in order to keep up with demand, according to industry figures.
“As more advanced technology is deployed — technologies like cloud and bring-your-own device — there’s a demand not only for more skills, but for different kinds of skills,” said Hord Tipton, executive director of (ISC)2 during a conference this week. “Once you get your arms around one thing, there’s something else you need to be ready for.”
“There aren’t enough good people out there,” said Brent Conran, CSO of McAfee, who previously served as CIO for the U.S. House of Representatives. “In a lot of cases, you’re in a position where you have to take a kid out of college and get them ramped up very quickly.”
In its 2011 (ISC)2 Global Information Security Workforce Study, Frost & Sullivan researchers projected there will be 4.24 million security professionals in the global workforce by 2015. The current figure is 2.6 million.
The “skills gap” is coming from a variety of factors, including increasing volume and sophistication of attacks, greater compliance requirements, and a shortage of professional training, experts said. While the global security workforce has grown by an estimated more than 600,000 in the past two years, there still are more positions open than there are trained people to fill them, experts said.
Many companies are still struggling with how to hire security professionals, Tipton observes. “It often falls to human resources people, but they don’t always know what questions to ask,” he said. “They need to understand what tools that the candidate has used, what specialized areas they have experience in, and what certifications they have. Hiring security people is not always an easy process.”
“The problem is not that we have a shortage of security people — the problem is that the people who do the hiring are too binary in their thinking,” said Winn Schwartau, chairman of MAD Security, who gave a presentation on security hiring practices at the conference on Monday.
Schwartau suggested companies are too reliant on finding employees who have degrees and certifications, fit a certain age bracket, or even a certain type of hair and dress code.
“All people are not created equal,” Schwartau. “Security is a creative pursuit, whether it’s on the offensive side or on the defensive side, and it’s not always done by people who work 9 to 5. It’s not about fitting in, but the CEOs and the lawyers and the HR people make it that way.”