The Great Security Skills Shortage
November 30, 2012 Leave a comment
- IT security specialists need to expand their skills range, especially in technology areas that are seeing the greatest amount of new investment
- Employers looking for good candidates need to put resources into training and mentoring programs in order to cultivate the mix of skills they are seeking
Here’s an interesting conundrum: There is an acute skills shortage in the IT security job market, but at the same time those with security skills are being turned away when they seek to advance through new job openings. It appears to be a combination of factors that have created this scenario. In a recent TechTarget article, George Hulme argues that there are unrealistic expectations on the part of those hiring. Many organizations appear to be looking for candidates with multiple talents. Not only do they want specialists, they want candidates to be specialists in multiple areas, and they want those candidates to have some leadership skills or business acumen.
Other factors contributing to this dilemma include a rapidly evolving threat landscape that is spurring a lot of changes in the technology as vendors try to keep pace with those threats. Those who specialize in firewall or IPS administration are challenged to learn how to adapt to next generation functions that move detection up the protocol stack into the application layer. At the same time, it appears that endpoint protection is quickly moving toward commodity status as it increasingly fails to detect and stop new threats, even though the largest endpoint anti-malware vendors have added more detection methods beyond identifying traditional malware signatures. With that commoditization comes the opportunity for enterprises to outsource the administration of endpoint anti-malware. And too many IT security specialists fail to expand their skill sets in this quickly changing market. At the same time, they don’t possess the communications skills or business sense needed to convey the value that they bring to their employers, or relate the increasing business risks that their employers face with the rise of cloud computing, mobility and cybercrime.
Given this new hiring environment, it’s important for IT security specialists to strive to expand their skills range, with a focus on gaining certifications and experience in product and technology areas that have seen the greatest amount of new investment. That would include SIEM and application security. At the same time, security specialists should look to improve their communications skills and their understanding of business needs, and how IT risks affect the business. But that doesn’t take those seeking good IT security candidates off the hook. Enterprises should also put resources into training and mentoring programs to encourage their existing security employees to help bridge the skills gap in areas now underserved, and they should use the promise of paid security training in desired areas as incentive in hiring promising entry level candidates.