The global talent gap estimates for security range between 2 to 4 million. As organizations go digital and the aftereffects of covid-19 increase the dependence on remote working, the need for security is going to become even more pronounced.
In the current scenario, there exists a chasm between the technical and generalist skills respectively. What businesses lack is not just the resources that would serve them today but the preparation for what lies tomorrow. The top six challenges businesses are facing include:
- There aren’t enough educational institutions focusing on security. They do not even provide a baseline of skills, irrespective of the area of specialization students may choose.
- Security as a profession is not attracting the required level of talent, as it does not come across as a lucrative option for young adults.
- Soft skills are a general area of weakness for security personnel which needs to be fixed to obtain full business value.
- There exists a lack of diversity in terms of both technical specializations and gender. Women are usually under-represented in the team.
- Businesses approach security in a short-sighted manner, and they only look at IT security or cybersecurity, where they instead need to look primarily at information security.
- An observed lack of direct representation of security on the board of the company results in lower awareness and focus on the function of this service.
As organizations tackle these challenges and strive to build a strong security team with the right composition, these are the three categories of activities they need to fill in:
- Thinking: This task involves establishing the processes and frameworks. It will include the governance, risk and compliance team that powers the talk about regulatory compliance and thresholds.
- Doing: This involves driving the security operations for the organization. The team focuses on network security that is implemented using different kinds of tools and procedures.
- Communicating: There has to be a way to communicate the security requirements and policies with both the internal and the external stakeholders. The security team must have positions for people who are responsible for the communication task. This is an essential function of the team.
Businesses can choose to either buy or build these capabilities for themselves. The thinking and communicating functions of the businesses need to be part of the parent organization as they require the knowledge of the organization to be applied. The doing function is where the organization can really take advantage of the new techniques like as a service model, outsourcing it completely.
Internal sources of building teams hiring individuals from various departments across the business will help create a diversely talented team. This will aid in the better understanding of the security risks of every department and create optimized policies. It is also a cheaper source of hiring for the business.
When hiring individuals from external sources, certification courses act as the primary filter. There are a few courses that are general in nature and which focus on the management perspective, while the others are specialised deep-dive courses in specific verticals of information security. The most highly recommended courses, which form the base of many careers in security, include:
- CISSP (Certified Information Systems Security Professional) – this acts as the first level of certification for any aspirant. 36% of all security professionals hold this certification.
- CCSP (Certified Cloud Security Professional) – is from ISC2, it focuses on cloud security as a broad vertical and is held by 18% of all security personnel.
Through the course of their careers, professionals can add on more certifications depending on the path they choose. These certifications are in-depth add on courses.
- CISM (Certified Information Security Manager)
- Vendor certification courses (to focus more on execution) including the likes of F5, Palo Alto, Cisco, and Amazon to name a few.
- CEH (Certified Ethical Hacker)
Hiring good talent is already not an easy task for any organization, but to retain a good security professional is even more difficult. It is important that businesses put equal if not more emphasis on the retention of talent that is already well-adjusted within the organizational structure. On top of it, ensuring constantly updated knowledge and capabilities in the rapidly changing business environment is another challenge to deal with.
Security for enterprises is yet not well understood by many business leaders around the globe. It is often regarded as just a technology challenge when in reality it is much wider in scope. It’s about people, processes and technology and it is there to ensure that businesses stay relevant and secure. Thus, it is essential that the focus shift from technology to people and processes.
MD & Founder,
Information security head,
A leading telecom company
Srinivas B. Senior Director,
Solutions and Services,