Code Red: It's Time To Sound The Alarm On The Security Talent Shortage

If you thought the talent shortage was bad enough in the IT industry as a whole, think again. Security experts say they are facing an even bigger talent drought, one they don't see going away anytime soon.

The IT industry is grappling with a growing gap in talent, with one estimate by predicting that by 2020 there will be only 400,000 computer science students to fill more than 1.4 million open computing jobs. Solution providers said the result has been a battle on the ground for qualified employees, a fight they expect will only get worse over time.

However, that talent gap is nothing compared to the chasm that exists in the security industry, solution providers and vendors agreed. The talent gap in security is the "No. 1 item" that comes up in conversations with partners about their business, said Todd DeBell, vice president of channel sales and distribution at security vendor FireMon, Overland Park, Kan.

[Related: Security Experts: Education, Certifications Aren't Keeping Up With The Times]

Sponsored post

"People right now are probably at the highest demand that I've seen in my 15 to 16 years in the security space," DeBell said.

The numbers are there to back up that assertion. According to Frost & Sullivan's 2015 (ISC)2 Global Information Security Workforce Study, 62 percent of the study's nearly 14,000 respondents said they didn't have enough security talent, up from 56 percent in 2013. That gap will continue to grow, the study predicted, reaching 1.5 million unfilled positions in the next five years.

"It's definitely a challenge in the marketplace," said Tom Patterson, vice president of global security solutions at Blue Bell, Pa.-based Unisys, No. 19 on the CRN 2015 Solution Provider 500 list. "We need to grow more security-minded people. ... The real experts in security who have been there, done that are becoming harder and harder to find."

With a limited amount of quality technical talent available to handle the onslaught of security threats facing businesses today, Jonathan Grier, principal at Grier Forensics, said the result is a scuffle for talent in the security market.

"Right now, it's hard," Grier said. "Everyone is fighting -- literally fighting -- over talent."

That will continue until the talent pool adjusts over time to meet demand, he said.

The gap has formed as threats have become more sophisticated and, as a result, security professionals have moved from practicing an exclusive "black art" to a more mature industry that is cross-pollinating with other areas of IT, Grier said. The Frost & Sullivan survey backed up his point, saying that a growing footprint for security across mobile, cloud, Internet of Things and more is driving up security budgets and causing companies to look to increase headcount, which catalyzes a supply and demand challenge across the industry.

The effects of that gap already are starting to show, the survey found.

"Signs of strain within security operations due to workforce shortages are materializing. ... The net result is that information security professionals are increasingly cornered into a reactionary role of identifying compromises, recovering from mistakes, and addressing security incidents as they occur rather than proactively mitigating the contributing factors," the study said.

However, security experts agreed that the answer to the problem isn't as simple as incentivizing more college graduates to jump into the security market. They need to be the right kind of graduates, they said.

Don Maclean, chief cybersecurity technologist at DLT Solutions, a Herndon, Va.-based solution provider that is No. 35 on CRN's 2015 Solution Provider 500 list, said much of the security talent today is focused on compliance, but what the industry needs is more "nitty-gritty, hard-core security engineering work," such as implementing complex software. That imbalance is a result of generally higher salaries in the compliance and documentation side of security, despite the generally more difficult expertise needed for engineers, he said.

To complicate it further, companies also need to cultivate a balance in their employee roster between skills in traditional technologies and in emerging technologies such as mobile, cloud and the Internet of Things, said Gerry Grealish, chief marketing officer at McLean, Va.-based Perspecsys.

"From a skills perspective, if I'm a CIO or a CISO, I want a bunch of folks who are well-trained and motivated. Some will be legacy employees with new skill sets and some will be new employees ... and that's going to create the best environment from a security skills perspective," Grealish said.

To build that balance requires a cultural change away from compliance toward preventative actions, DLT Solutions' Maclean said.

"That's a cultural change," he said. "You're trying to mitigate bad human behavior of people attacking you with good human behavior by implementing new technologies properly. To me, that's the biggest issue -- just changing the culture and attitude to say ... compliance is not enough."

The new breed of security talent can come from a variety of sources, experts said. While interest in security is growing, Maclean said he sees universities having trouble keeping up with a rapidly changing industry. He said he sees it as the responsibility of vendors and solution providers to evangelize for security to clients and the next generation of talent.

"I definitely think that as the security vendor or provider develops technology that is security-oriented ... they should definitely be promulgating that, for their own sake to help their own product but also for the general good of the security community," Maclean said.

The good news for the security industry right now, Grier said, is that, in his experience, talented individuals in other areas of IT have found it fairly easy to transition their skill sets over to the security industry. That has become especially true, he said, as security permeates into all aspects of the IT industry.

"I think there's going to be a convergence and it is already starting," Grier said. "As security becomes another aspect of IT and computer science, you're going to have people moving back and forth freely. ... It's just becoming part of a broader mix."

Those who have a challenge transitioning, Grier said, are the compliance and audit professionals who have to transition to protecting against advanced threats.

While all the experts agreed that the current talent situation is dire, most said they expected the gap to slowly fill in over the next few years as security threats persist. Frost & Sullivan predicted that more than 195,000 security professionals will be added over the next year, a jump of 6 percent.

"People are in general becoming more cybersecurity-aware. There will be a move for talented young people to move into the field. There's starting to be more money available there and there's somewhat of a vacuum [for talent]," Maclean said.

Grier agreed. "I don't think it's going to stay like this," he said. "People are asking me every day how to get into security."

This article originally appeared as an exclusive on the CRN Tech News App for iOS and Windows 8.