Concerns about the security skills gap and the talent shortage were heard everywhere at RSA Conference 2019. A session about data privacy focused on how the barrage of new privacy laws would increase the need for cybersecurity professionals as well as physical security. Conversations at vendor booths wondered how organizations can best address the shortage. The topic buzzed, even at the after-show parties.
No doubt about it, the security skills gap is impacting how organizations keep data and networks safe, and it is going to take a long time until we are able to see solid footing within the industry.
Most Organizations Impacted by the Cybersecurity Skills Gap
According to research from ESG and ISSA presented at RSA, 74 percent of organizations have been impacted by the cybersecurity skills talent shortage. That impact ranges from an increased workload for current staff to hiring and training junior staff because there isn’t anyone available to fill current needs.
This lack of cybersecurity talent is giving adversaries a leg up, the research added. Nearly two-thirds of the respondents admitted that the cyber defenders are overmatched. This is adding to the stress level of security staff, who already feel overworked, overwhelmed and unable to keep up with training and the ever-changing threat landscape.
Cybersecurity is becoming more specialized. We are past the days when an IT person could be told to take over security duties. The biggest needs, according to this study, are for professionals experienced (or trained) for cloud security, application security, security analytics and risk/compliance administration.
The skills shortage is defined as more jobs than people, noted presenters Jon Oltsik from ESG and Candy Alexander from ISSA, but we’re also seeing a shortage because the people in that are already in the jobs don’t have the right skills.
Skills Gap Spills over to Physical Side
But the security skills gap isn’t just an issue in cybersecurity. It’s a problem for physical security, as well.
“The No. 1 issue, whether or not a company is a manufacturer of devices or installing and designing systems, is finding qualified talent,” said Don Erickson, CEO of Security Industry Association (SIA). “It’s not a lack of resumés coming in but a lack of people with the expertise on the technician side, or as project managers, or as systems engineers, or even a sales force who can discuss security technology.”
The talent shortage in this area is a huge problem. We not only depend on physical security to protect our businesses, homes and people, but it also will impact cybersecurity and data protection and privacy. These are the folks who are develop and install the biometric systems that restrict access into a building and act as an added layer of authentication to our networks, for example. They manufacture and install the security cameras that surveil our data centers.
The talent shortage in physical security is so big that an organization like SIA can’t address it alone but needs to collaborate with other organizations to create initiatives and programs to promote security education and training.
In this case, SIA is collaborating with the Electronic Security Association (ESA) to recruit and retain qualified talent in the security industry. This includes outreach to schools from K-12 to college and vocational to increase awareness about the opportunities available and continuing educational offerings to those already in the workforce.
“We want to elevate the profile of the industry so it can compete with other sectors,” said Erickson. “There’s what I like to call a ‘war for talent’ out there, a competition between all sectors—IT, physical, other industries—so we have to elevate our profile and talk about how innovative the industry is in security technologies and protecting every component of the critical infrastructure.”
Demonstrating a Need
Erickson said while the IT security side has done a good job at talking about and demonstrating the skills gap, the physical security side needs to improve its efforts to show the need for skilled professionals in these careers. Some of the ways they are doing this include:
- Working with Women in Cybersecurity, SIA and ESA are taking an adopt-a-college approach to elevate the profile of the physical security industry as viable careers.
- SIA developed a pilot program with Mercer County Community College in New Jersey. It’s a two-year degree program in physical IT security with four disciplines: security project management, product technology, sales and security project integration.
- SIA launched an event in Minneapolis this summer geared to young professionals to attract them into careers in the security industry, with soft skills development and information about entering the industry, as well as mentoring and team-building opportunities.
- Working with ASIS, SIA created a career pathways document that describes the skills and expertise needed to work and advance in the security industry on both the supplier side and user side.
The skills shortage, both in cybersecurity and in physical security, is a massive problem. It’s bigger than one organization can solve, so we’re all going to have to work together to promote these industries as viable career paths and get the word out about the need for skilled workers in areas beyond IT.