InfoSec talent shortage or lack of adequate training?

January 17, 2017 | InfoSec Workforce | By Brian Dulany |
To combat the IT security talent shortage, companies need to take a new approach to InfoSec training.

There are plenty of InfoSec jobs available, but not enough skilled pros to fill those positions. Or are there?

Estimates put the number of unfilled IT security jobs in the U.S. at over 200,000 and more than 1 million worldwide - with the vacancies only expected to increase. Obviously, a cybersecurity skills shortage can threaten to put organizations at greater risk.

However, perhaps the problem isn't so much a lack of talent as it is a lack of training. 

Across the globe, businesses are failing at providing proper cybersecurity training. Some aren't doing it all, and even those that do aren't going about it correctly. Research by Shred-It showed that:

  • The majority of C-suite executives only conduct InfoSec training once a year.
  • Almost 30 percent never train employees on compliance requirements or company procedures.
  • After just a week, workers can forget as much as 90 percent of the information learned.

Clearly, the standard approach to InfoSec training isn't cutting it. 

"With InfoSec, awareness and education are not the same."

Quality over quantity
Much of cybersecurity training centers largely on awareness - something that occurs once a year as a way to maintain regulatory compliance. But it's time to reframe our approach to InfoSec training, acknowledging that awareness and education are not one in the same. 

In this same vein, it would probably be helpful to address this much-talked about talent shortage from a different angle. It's not that the talent isn't there, but rather that the potential isn't being tapped and utilized correctly - due, in large part, to inefficient training.

As Information Security Buzz recently pointed out, cyberwarfare is won through strategy and skill, not numbers. Similar to how people often say being productive comes down to working smarter - not longer hours, the effectiveness of your InfoSec strategy isn't determined by the number of people you have, but their competency and proficiencies. You don't need more IT professionals, you just need ones those who are trained and skilled in the core competency areas: risk mitigation, development and implementation, as well as counter infiltration and threat emulation. 

Taking control 
It's up to organizations to take InfoSec training into their own hands to develop a stronger workforce. To be meaningful in today's increasingly complex and sophisticated world of cyberrisks, InfoSec training must be consistent and customized - consistent with emerging trends and threats, and customized to the specific cybersecurity role of each employee. The threat landscape is constantly evolving, and what's learned in one training session may be entirely irrelevant months down the line.

Human capital InfoSec assessments should be conducted to better understand where the security team is in terms of competency and preparedness. Once this information is available, it acts as a guide for InfoSec training programs, pointing to the skill sets employees need most based on the specific functions of their jobs. 

To learn more about the areas of InfoSec competency needed to succeed in today's cybersecurity landscape - and how to develop an effective security team regardless of the talent shortage, download our whitepaper.