One of the biggest challenges for organizations (especially those with less capital to spend) is finding and hiring qualified individuals with the requisite information security skill sets. The problem is compounded by the fact that there are more jobs than there are qualified candidates to fill them. This in turn drives up salaries for those individuals, making it harder for companies to hire and retain experienced personnel. This complaint is a perennial one.
“[In security] it's hard to find good people. Everybody seems to be getting on the bandwagon. There is a high demand. We lose a lot of people. It's a revolving door where people come in and they get trained up and get certified and then somebody offers them a better deal [so they leave]."
Financial Services - IT/Engineering Managers and Staff - 10,000-49,999 employees
More than half (66%) of respondents are facing an information security skills shortage. The shortage is most acute in the finance sector where 79% of respondents face a skills gap. Other verticals – such as healthcare and government also feel the pinch and are typically hampered by both pay and location issues that only serve to further limit the pool of qualified candidates seeking employment opportunities.
Older companies, typically digital transformation “laggards” with conservative approaches to new technology face even greater challenges in acquiring skilled information security personnel. To be brutally honest, a company with significant technology debt (i.e., legacy systems that do not easily integrate with newer technology platforms) is a company that few highly skilled IT professionally would really want to work for (at least not for long). An organization whose infrastructure has outlived the IT staff’s availability to support it, is not the place for the up and comers in the tech who want to work with modern infrastructure environments and “cool” emerging technologies.
Recruiting When it comes to hiring, companies large and small are having trouble recruiting information security personnel. This shortage will not resolve itself: the growing number of connected devices and the continued drive toward digital transformation will only compound the problem.
Retention Security specialists are in high demand. Companies are struggling not only to find personnel, but to hold onto them as well. One-third of smaller organizations with fewer than 1,000 employees find it extremely difficult to retain information security specialists, as do one-quarter of larger organizations.
Compensation Companies recognize the value of these employees and the difficulty in replacing them once they leave. One retention option is increased compensation. Respondents were asked to describe how they see compensation for security professionals changing over the next 12 months when compared to the previous 12 months.
More than half of respondents plan to increase compensation for their security professionals over the next 12 months. Among organizations with 1,000 to 9,999 employees (a group more affected by the security skills shortage compared to others) 70% plan to increase compensation for information security personnel.
The two most readily available options, especially if hiring is proving to be a futile exercise, are to retrain existing staff or hire outside contractors. While outside contractors provide a quick fix, this is not viable long-term option particularly if the skill set is not being transferred to internal employees. As a result, companies need to take more proactive approaches, including continuous (re)training of existing IT staff and well-defined retention programs that keep the needed expertise in house.