In late 2013, Cisco reported there were a million unfilled cybersecurity positions globally. Cybersecurity Ventures expects that number will rise to 3.5 million by 2021.
Despite the severe workforce shortage, there was quite a bit of optimism on the topic at the recent WSJ Pro Cybersecurity Executive Forum held in New York City. A few of the WSJ speakers agreed to offer some of their thoughts for CSO readers.
Jennifer Steffens, CEO, IOActive
“Organizations are waking up to the critical importance of security,” says Jennifer Steffens, CEO at IOActive, a global security consultancy with headquarters in Seattle. Steffens calls that the good news.
“The bad news,” she says, “is the workforce shortage will grow unless organizations also wake up how they approach finding and retaining talent.”
She makes an excellent point, which hiring managers would be wise to heed.
“There is a wealth of talent around the world that wants to engage in this global fight,” add Steffens. “They may not be classically trained, have a certain degree, or fit into any mold you’ve seen before. To succeed we must challenge the norms and embrace a culture that celebrates this diversity.”
Translation: Stop banging your head against the wall looking for the same people in the same places, where you’re not likely to find them. There are numerous pockets of prospective candidates for employers to consider — which includes women and minorities, IT workers with an interest in crossing over to security, young people with criminal justice degrees, law enforcement personnel, and a myriad of others.
Pete Chronis, CISO, Turner
Turner, a global media company with some of the most valuable entertainment and news brands in the world, is an anomaly when it comes to recruiting cybersecurity pros.
Pete Chronis, senior vice president and chief information security officer (CISO) at Turner, says the company has no problem attracting a sufficient number of applicants for their positions insofar as hard skills go, although there can be a challenge with finding people who are technically savvy and emotionally mature.
Turner has a lot going for it in terms of being an attractive company to work for, but there’s more to it than that when it comes to filling a pipeline of experienced cybersecurity candidates.
Like Steffens, Chronis looks beyond the prototypical profile for his hires.
“As CISO, having a diverse staff — people from different backgrounds helps create the most dynamic and productive team,” he says. “Our diversity initiatives help us attract a broad spectrum of candidates — includes university grads, minorities, women, ex-military and people from all walks of life.”
At Turner, candidates also get the long view.
“We spent a lot of time growing our organization over the last year, adding junior and senior positions,” says Chronis. “One thing that was really important to our existing staff is having a clearer idea of what their career path can look like at Turner. We spent a lot of time this past year building out and communicating our career plans — and that is important for retention.”
Chronis is also a realist when it comes to certain recruiting challenges.
“For some of the more competitive security positions, you will sometimes have to make exceptions and pay upwards of what you might have been expecting in order to recruit the best people,” he says.
A recent CSO story informed that cross-training information technology workers on security should be a top priority for CIOs and CISOs. Unfortunately, there’s hardly enough organizations who subscribe to this philosophy. But Chronis does.
“Turner has a supportive culture when it comes to IT workers potentially crossing over to the cybersecurity. Having strong relationships with your peers helps make transitions easier,” he says.
Chronis explains that retaining good cybersecurity people is far more difficult than recruiting them. As a result, the Turner security team has an excellent reputation, which helps draw the better candidates.
Jeremy King, President, Benchmark Executive Search
The biggest cybersecurity recruiting challenge is attracting and hiring the upper echelon experts, which often includes ex-military cyber experts. This is where the picture becomes less optimistic.
Jeremy King, president at Benchmark Executive Search, a boutique executive search firm focused on CxO, vice president, general manager and board-level cybersecurity positions, sat on a panel covering cyber talent trends at the WSJ event. He was asked about the demand for U.S. government talent crossing over to the private sector, a hot topic.
King emphasized that there’s a tremendous amount of demand for what he calls “the hundred most senior people that have come out of the national-security community.”
Who are the hundred most?
“If you look back 20 years, they’ve really been charged with protecting our country’s secrets, our networks and classified data, and [they] have the playbook,” says King.
One hundred is a small number, considering that every Fortune 500 and Global 2000 corporation would benefit from their experience — not to mention the government agencies trying to hold on to them (for those who are still in their employ), as well as venture-funded cybersecurity startups and other organizations.
“These seniors are needed by corporations who are now having the exact same problems of defending from threats and protecting data,” says King.
Cyber crime is a people problem, not a technology problem. We need more cybersecurity graduates, entry- and mid-level workers, and experts. More on that in an upcoming story.
Visit SteveOnCyber.com to read all of my blogs and articles covering cybersecurity.
Follow me on Twitter @CybersecuritySF, or connect with me on LinkedIn. Send story tips, feedback and suggestions to me here.