It is hard to escape conversations about the cybersecurity talent shortage these days. Rarely does a week go by without another article, study, or amplified social media thread highlighting the issue. Some are calling it an all-out crisis, and rightly so: a Cybersecurity Workforce Study by ISC2 revealed that despite the Asia-Pacific region recording the largest talent growth in the area, a 2.1 million shortage remains. In Singapore, there was a 16.5% drop consisting of 77,425 cybersecurity staff, while the shortage globally widened by 26.2% to 3.42 million.
A number of factors could have contributed to the shortage of talent and high turnover rates, including below-market compensation for entry level roles, mismatched expectations for graduates on what they will do in their first year out of college, and the high attrition rate in the broader technical job market.
Colleges, accelerators, and mentorship programs have driven more “purpose-built” talent into the market than ever before, often with the promise of ballooning demand for their skills in an “exciting and lucrative” career. It hasn’t been enough to close the gap.
This has given rise to an existential problem in security, because while technology plays a critical role in supplying new and more efficient solutions, an organization’s ability to operationalize new security technologies still depends on qualified people.
Technology and security vendors have played a role here, outpacing the market with technological advancements that require greater investment from customers already struggling to maintain talent and keep up with technology sprawl.
While technology vendors soften this blow by offering managed services bundles, it is not enough to fill the void. Businesses are still challenged as their small IT teams run at full speed, trying to justify these new investments, keep up with the rapidly evolving threat landscape and actively protect their systems.
So how can business leaders start addressing this talent gap? Here are some pointers to consider:
- A new solution is only as good as the benefits it can provide. Before adopting a new technology, business owners need to question if it helps to meet the business objectives of the organization and if there are enough trained employees to get the best out of it.
- Quality mid and senior-level individuals will more likely be attracted to an empathetic leader who has a vision to set them up for success within the business. From mentorship of junior staff to managers working with HR, a security leader shouldn’t be expected to do this alone.
- Invest in developing talent at junior, mid and senior levels, and only then begin to opportunistically target talent with advanced and specialist skills. Experienced practitioners with skills like application and cloud security or threat hunting will continue to be in short supply until broader talent farming yields more such practitioners.
In the last five-plus years we have seen the evolution in the role of security leaders in the business. This is driven by regulation, a tidal wave of corporate spending on open source, cloud, bring-your-own-device and other technologies, a booming anti-ransomware business, and high-profile data mishandling and unsafe practices by corporate data stewards.
The next two years will tell us much about how the cybersecurity talent shortage is being addressed. Security leaders and their companies should do themselves the service of discussing the challenge now, to understand how the security leadership role and organizations themselves may evolve and what it could mean for the sustainability of cybersecurity programs and their people.
By Adam Judd, Senior Vice President of Sales for Asia Pacific, China & Japan, F5 Inc
