violetkaipa - Fotolia
Many security and compliance officers have no doubt run into this situation of late: As the economy recovers, the executive team finally approves job requisitions submitted months, if not years, earlier, to add midlevel or senior personnel leadership that is desperately needed. After days, maybe even a few weeks, of little to no interest from your colleagues inside the company, the human resources team informs you that instead of the hundreds of candidates that were expected, there are only six candidates to review. Then you notice that all six of the candidates have a fraction of the required experience or security and compliance skills mentioned in the posting, if any at all. In addition, the people who are applying are looking for up to 20% to 30% more than what the position normally pays, regardless of experience.
I was a little surprised when I experienced this same scenario trying to fill four different roles in the past two years. All four were standard security roles ranging from junior to midlevel security technology "generalists." In years past, my HR team would have to put a deadline on the postings just to keep the total number of applicants to 200 to 400. Now, it's not unusual for my HR team to get only 10 to 20 applications during a three- or four-week posting period. Many of my peers have since mentioned to me that they, too, are seeing a general lack of security personnel.
The high-profile data breach factor
There are a number of factors that will determine the availability (or lack thereof) of security talent, regardless of what part of the world you are in or the skills you are looking for. In a broader sense, however, one particular factor seems to be a significant contributor: the recent onslaught of data breaches by the hacking community and the publicity they generate.
It's arguable whether breaches have actually increased in number, or if organizations are simply doing a better job of detecting and reporting them. Either way, there is no doubt that there has been a significant increase in the number of companies looking to start a new security and compliance program, or expand the programs they have in place, to avoid being the next hacking target.
The more widely publicized retail industry breaches, including those of Target, Home Depot, Michael's, Neiman Marcus and Goodwill, resulted in some very bad press for these companies. To avoid a similar fate, many smaller retail organizations that don't have formal security programs are now rushing to build one. These small to medium-sized retail organization might not be able to afford an experienced CISO or hire a big team, so they look to cull midlevel professionals from larger organizations to be their security leader.
This has increased security salaries -- particularly those of junior and midlevel security personnel -- but the sheer demand for security resources across industries has exceeded the supply. There still appears to be interest from experienced IT and audit professionals who want to take a more active role in security and compliance programs, but the rate of that progression hasn't kept up with the number of new positions and programs. Combine that with the fact that new security threats and technologies are forcing established programs to expand, and you have the perfect storm for lack of job candidates.
Although yet to be quantified or proven, this broader security focus across all industries might come at the expense of mature programs in markets like financial services and government/defense, where security and compliance programs have long been considered critical. On a positive note, this shortage shows that organizations are now putting more focus and effort into their security and compliance programs. It also creates great advancement opportunities for security and compliance professionals.
The changing face of security and compliance talent
There are several ideas and tactics trying to help satisfy the need for talent. Some organizations have established "feeder" programs with teams that typically are good sources of security and compliance skills, such as network monitoring, audits and system engineering/administration. Security and compliance leaders are also broadening their searches and recruiting more heavily from teams like data analytics, application development, project management and quality assurance.
Those teams may not produce anyone with actual security and compliance skills or training, but you may find that they sometimes harbor individuals who, with a little formal training, can be developed quickly into a midlevel resource. Companies have also decentralized security or enlisted third-party security vendors to try to offset the shortage. Those strategies, however, rarely offset the staff shortage because both still require employees to oversee and manage those parties.
It's also important to remember that technologies, policies and procedures are a valuable part of a security and compliance program. For all of these to be implemented and maintained effectively, security and compliance professionals will be required to run the program. This could require further creative recruitment to ensure all GRC processes run smoothly.
Turnover and personnel succession are inevitable parts of every security and compliance program. But by staying proactive and considering all your options, you can find replacements for the resources you lose.
About the author:
Jeff Jenkins is a regulatory compliance, information security and risk management expert and currently the director of cybersecurity at Travelport LTD. Prior to his role with Travelport, Jeff served in security executive/leadership roles for a number of private- and public-sector organizations including Cbeyond, Equifax, The First American Corporation, S1, the state of Georgia's Department of Human Resources, and Cobb County Public Schools. Jeff currently holds CISSP, CISA, CISM and CGEIT certifications.
Mobile compliance and security reliant on thorough planning, follow-up
Industrial control system security training needed to improve response
Network security architectures face skills shortfall