creative soul - Fotolia

Cybersecurity talent shortage: Is recruiting from IT the golden ticket?

At the 2017 ISSA International Conference, experts urged companies to recruit from existing IT staff to confront the looming cybersecurity talent shortage.

Cyberattacks continue to make headlines, and a cybersecurity talent shortage could add fuel to the fire: The Information...

Systems Audit and Control Association, or ISACA, a nonprofit information security advocacy group, forecasts a global shortage of 2 million cybersecurity professionals by 2019.

The cybersecurity industry is growing exponentially, but cyber is relatively new from a higher-education perspective, said Kathie Miley, COO at Cybrary, based in Greenbelt, Md., during a panel discussion on the global cybersecurity talent shortage at the 2017 ISSA International Conference in San Diego. Formal cybersecurity schools and certifications have been around only for a short time and are still very expensive, Miley said.

"People who aren't having their training paid for by their employer simply can't afford it," she said. "It was inevitable that we were going to face this shortage without a really clear-cut way to providing them with those skills and practical work experiences that employers are expecting today."

To address the cybersecurity talent shortage, one of the best places to recruit is from the current IT staff, Miley suggested. Organizations should be transitioning IT professionals, like system administrators, network administrators and software developers, into cybersecurity roles, she said. The techniques required to be a cybersecurity expert call for practical experience in IT, she explained.

"A lot of it is administrative, a lot of it is operational, and a lot of it is network and application development. If we have [those] people who fundamentally have that foundation already built, then it's not too far to get them up to the next level to become cyber experts," Miley said.

A strong foundation in IT is critical to understanding the core technologies and underlying security principles, said Travis Rosiek, chief technology and strategy officer at BluVector, based in Arlington, Va.

Rosiek said he sees value in transitioning existing technical personnel to security roles, mostly because they have the organizational knowledge of how systems work, where there is likely going to be a problem and how things can be remotely accessed. This gives them an insight into how an adversary might exploit or use existing tool sets for an attack, he added.

It was inevitable that we were going to face this shortage without a really clear-cut way to providing them with those skills and practical work experiences that employers are expecting today.
Kathie MileyCOO at Cybrary

"Adversaries are becoming more stealthy and leveraging underlying IT systems like PowerShell, which system administrators typically use, making it much harder to identify [any deviations]. Having that understanding from a good IT background is therefore helpful," Rosiek said.

But IT staff often still harbor a negative perception about security professionals, which might pose as a hurdle when encouraging a transition into security roles, panelists warned.

"People think we are the people that say no; we only say no when it needs to be that way," said David Goldsmith, CTO at U.K.-based NCC Group. "Security is about enabling; the reason why organizations have a security team is so that you can get business done."

To convey the value that cybersecurity professionals bring to an organization, senior security leaders should be vocal about their efforts and better articulate the benefits of risk management strategy, Goldsmith suggested. Organizations need to garner support from the executive leadership to establish a sound cybersecurity program and a top-down culture of security, panelists added.

Another effective way to address the cybersecurity talent shortage is instilling an interest in cybersecurity among the younger generation, panelists said. For example, there should be more emphasis on making STEM programs attractive to students, panelists stressed.

"We have to make sure the up-and-comings know that the job exists," Miley said. "I think we all do a terrible job in communicating what cybersecurity is, and we overcomplicate it ... we drive them away from cyber instead of letting them know of the value that we are adding to the world."

Next Steps

What's causing the shortage in cybersecurity skills

Recruiting women to address the cybersecurity skills gap

Employing tools to overcome the cybersecurity skills shortage

Dig Deeper on Risk management and compliance