With graduation season upon us, many graduates entering the workforce are understandably anxious about their future employment. However, at least one group is poised to take advantage of a market suffering from a massive skills shortage: cybersecurity professionals.
The Bureau of Labor Statistics’ Occupational Outlook Handbook projects the demand for information security professionals will increase by 100,000 jobs in the next seven years. That need will only increase in the coming years as cybercrime continues to prove more lucrative. The outlook for this fortunate group of new college graduates is promising. However, organizations planning to hire from this talent pool should fully understand the associated challenges.
Any effective security team requires technical members with a broad set of backgrounds and skill sets, often delineated into “Tier 1” and “Tier 2” groups. Tier 1 members generally provide a first line of review or response, and handle the most basic functions from the security team’s task lists. These tend to include following pre-determined response procedures such as virus removal, automated system restoration, or escalating the more suspicious events for further review.
Tier 2 members have more real-world experience with those escalations – the events that don’t meet pre-determined conditions. Their practical background helps to quickly weed out a false positive event or determine whether a particular observation is “wrong.”
This real-world experience is the core differentiation between a Tier 1 and Tier 2 team member – and it can only be gained over time. Granted, advanced degrees and sound technical certifications can help to establish professional credibility, but there is no substitute for real-world experience.
Unfortunately, Tier 2 team members are becoming increasingly difficult to hire and retain. The federal government announced its intent to fill 3,000 cybersecurity positions, but the talent pool they share with industry is a finite resource that is already under-filled. Many of these governmental positions are at the top of the federal pay ranges, further driving salary expectations for an experienced security professional to a level that is not viable for many organizations.
Organizations are faced with several options — none of which are ideal. They may attempt to hire a large group of Tier 1 team members, but considering the pending talent shortage, this is a challenge at best. Even if they manage to outfit their teams with a large group of new hires, such a team requires the guidance and tutelage of more experienced technical team members at Tier 2 to be effective.
Another method some organizations use to alleviate the strain on personnel is to use so-called automated solutions to supplement a sparse security team. Despite bold vendor claims, such solutions require trained professionals to effectively deploy and operate. Many also prefer to over-notify the operators to avoid “missing” a critical event. This often leads to alert fatigue, in which too many alerts lead to missing the small fraction that actually require attention.
Help is Coming…Eventually
Until the supply of talent catches up with demand, organizations have three primary options to address the skills shortage: retain, hire or outsource.
Retaining top talent is the simplest solution but can be the most expensive. As demand grows across the employment force, competitive salaries will rise faster than most organizations can support. Management must find creative ways to encourage retention without relying solely on salary and other easy perks.
Job progression opportunities are a key mechanism. An employee who sees a future with their current company is less likely to seek employment elsewhere. Investment in workforce development is another method. Establishing a fair and practical training budget shows employees they can continue career progression in a company that values their professional development. There are many other options in this area, but salary alone is rarely a practical solution to foster retention.
Hire a team
Whether building a team from scratch, back-filling vacancies left through attrition, or supporting a broader security mission by augmenting an existing team, hiring talent is a necessity for any organization. Bringing any new talent onto the team is a challenge. Recruiters and hiring managers must effectively screen candidates for technical skills and placement onto an existing team.
Evaluating Tier 1 candidates has recently been eased somewhat by the establishment of undergraduate degree programs that focus specifically on information security. Many of these programs are still in their infancy, and have yet to be proven in the workplace.
The NSA/DHS National Centers of Academic Excellence (CAE) in Information Assurance (IA)/Cyber Defense (CD) program has existed in various forms since 1998. Schools designated under this longstanding program have been widely recognized as academic leaders in what has now become known as the cybersecurity field. Even in a Tier 1 capacity, candidates from schools in this program demonstrate a notable readiness for the information security workforce.
Existing workforce members often use a new job as an opportunity to bring their salary back into line with industry norms or to “level up” their job from a Tier 1 to a Tier 2 capacity. This can lead to a situation where the organization must re-evaluate their salary budget before significant hiring can occur.
After selecting a candidate, there is an acclimation period before a new employee is contributing at their full potential. This may involve formal and on-the-job training, a gradual ramp-up period for the new hire’s workload, and other production-limiting factors.
Regardless of whether a new hire is assigned a Tier 1 or Tier 2 role, the organization has made a significant investment in their success before the new employee’s first day of work and must now continue that investment into retaining the employee.
As is the case for other job functions, outsourcing has become a notable part of the information security business landscape. While this is often an attractive option for an organization that finds retaining or hiring to be difficult, it is not without risk: instead of a personnel management challenge, organizations that prefer outsourcing incur contract management challenges.
The service-acquiring organization must evaluate potential providers in a similar manner to a hiring candidate. While the burden of providing quality is transferred to the service provider, there is still an acclimation period for both the provider itself as well as each contract worker they provide.
The option to outsource staffing is often helpful to support short-term tasks or unexpected work surges, but the flexibility comes at a cost – often much higher over the long term than hiring and retaining a qualified team on staff. When outsourcing specific technical functions, organizations should seek solutions that don’t require drastic changes to their existing workflow, and can quickly and easily improve their team’s value in the overall security operation.
The Journey is Only Starting for Organizations and Graduates
The demand for top security talent will continue to increase for the foreseeable future. While this is certainly welcome for recent graduates in security-focused degree programs, the need for real-world experience can only be acquired over time.
Acquiring practical experience starts the day they reach their first job, and continues throughout their careers. It’s incumbent on employers to foster this growth, and it’s absolutely critical for everyone in a fast-changing workforce such as cyber security to embrace it.
We’d like to challenge the employers of recent graduates to think strategically about their security teams and build their staff now to address their long-term business goals. There is already a shortage of talent, and a reactionary approach to team building will only become more complicated as threats against our information infrastructure continue to advance.