Organizations Combat Chronic Security Understaffing by Hiring Less-Experienced Professionals

A. DeCarlo
A. Larsen DeCarlo

Summary Bullets:

  • Facing serious internal IT security expertise limitations, many organizations are hiring lower-level staff and providing professional development on the job.
  • This strategy appears to be yielding good results with many prepared to work on assignment independently within six months, according to an (ISC)² survey of hiring managers.

IT security organizations are under acute pressure.  Navigating an escalating threat environment often with a lack of internal expertise, companies are reassessing approaches to staffing and casting a wider net with respect to hiring for IT security roles.

In a recent survey of 1,250 hiring managers in Canada, India, the UK, and the US, the non-profit International Information System Security Certification Consortium (ISC)² found many organizations are increasingly hiring staff with limited or no experience in cybersecurity.  Entry and junior-level IT security employees (for the purposes of the study) were defined as having less than one year and less than four years’ of security experience respectively. Combined, they account for almost two-thirds of all security positions.  The smaller the company, the larger the percentage of less-experienced security professionals is.  That said, even large firms need to fill their ranks, with companies with 5,000 or more employees reporting that entry and junior-level employees make up 56% of their security organizations.

Training is obviously a fundamental component of helping these newer security professionals be effective in their roles.  Most of these enterprises (91%) providetraining to these workers. These efforts can yield good results quickly.  Of the surveyed hiring managers, 37% said that lower-level staff members were able to take on tasks within six months or less after they were hired.

Most described the spend associated with training lower-level security as reasonable. The survey showed that 82% of training costs were less than $5,000, with 42% under $1,000 to bring their new staff to a point where they can take ownership of assignments.

Some also recruit from other departments within their organization.  The smaller the organization, the more likely they are to use this avenue with 46% of entities with fewer than 100 employees going this route versus 34% of businesses with 5,000 or more employees.  IT is the most common source for cross-skilling/upskilling workers in cybersecurity, representing 89% of the retrained security workers. However, staff come from other departments as well, including customer service, communications, and human resources.

How is your organization managing IT security staffing challenges? Are you willing to train net new employees or staff from other departments on the job? Has training produced good results for your enterprise?

What do you think?

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.