How can enterprises manage the cybersecurity skills gap?

Security now spearheaded by specialists

It's a different story today. Security is now a proactive process, led by in-house specialists. As such, the demand for dedicated security professionals is much higher -- so high that organizations, including the federal government, can't seem to find the talent they need. In the aftermath of the Office of Personnel Management (OPM) hack earlier this summer, U.S. CIO Tony Scott said that identifying security talent is "the hardest recruiting that there is on the planet today."

So, why does this growing cybersecurity skills gap exist? Why has even the federal government struggled to find skilled people? A few factors are at play.

A gap of 1 million IT security pros won't be erased overnight, and for many companies, it could take years.

First, cybersecurity is a very specific field. If you want to work in cybersecurity, your background must encompass both computer science and networking. You must be acutely aware of the cybersecurity landscape -- from older, static threats like malware to new ones like advanced persistent threats. It's challenging to find experts possessing this breadth and depth of skills.

Additionally, as companies build their in-house security teams, they're often pulling talent from their general IT departments. Think of the systems administrator who never intended to have a career in security, but is now the person responsible for protecting core elements of the company's network. A person with no interest in security is just as big of a problem as a person with no security skills at all.

This role-to-skills mismatch is just as common among high-level IT security officers, such as CIOs and CISOs. In these roles, they have primary responsibility for building and managing a reliable team of security experts and resources, whereas in the past, they primarily focused on building and managing information technology systems.

The bounce-back factor is an important ingredient

This relates to the last factor, which is that IT security pros need thick skin. It's common for security teams, and particularly C-level security officers, to come under fire when an attack is successfully launched against the company -- no matter the context. Perhaps that's in part why a CIO's average tenure is only four years. The reality is that almost every company today experiences some kind of cyberattack. Security teams must be resilient, bounce back quickly and learn from these attacks, so they don't happen again.

A gap of 1 million IT security pros won't be erased overnight, and for many companies, it could take years before their security staffing needs are met. In the meantime, understaffed and under-resourced IT security departments will need to depend on security technology -- from centrally managed remote access VPN offerings to threat detection system firewalls -- to help them gain reach and better protect their organizations.

Such a platform -- robust and automated -- will enable companies to defend themselves from today's most considerable threats, no matter how large their security talent deficit may be.