Cybersecurity Skills Shortage

As a safety measure, some companies are building their own in-house cybersecurity talent pools while others are creating hybrid roles.
By: | December 5, 2017 • 5 min read
Cybersecurity word cloud

With recent victims including Equifax, Yahoo and Deloitte — just to name a few — it’s hard to find a company these days that hasn’t been hacked in one form or another. And that means protecting both business and consumer data from cyber attacks has become a way of life for employers.

But the demand for cybersecurity professionals has been outpacing supply for some time now, according to the Leviathan Security Group, an information security firm in Seattle that addressed the shortage in a 2015 white paper:

“With more than one million cybersecurity positions unfilled worldwide,” the white paper states, “currently identified security needs couldn’t be met if every employee at GM, Costco, Home Depot, Delta and Procter & Gamble became security experts tomorrow.”


Since then, the shortage has grown “much, much worse,” says Frank Heidt, CEO at Leviathan.

And while there seems to be no end in sight to the attacks, HR professionals are fighting back by growing their own cybersecurity staff or placing in-house talent with key business skills in hybrid positions to help prevent global invasions.

Earlier this year, the Information Systems Security Association and the Enterprise Strategy Group surveyed 343 information security professionals about the cybersecurity-skills shortage. It found that 45 percent had experienced at least one “security event” over the past two years. Perhaps more troubling, 70 percent believe that the shortage has had a negative impact on their organization, with 62 percent also saying they are falling behind in providing an adequate level of cybersecurity training.

To boost its cybersecurity-training efforts, Mosaic451, a Phoenix-based cybersecurity services provider and consultancy, piloted Cyber Candidate School last spring. The paid, six-month internship for new employees with diverse backgrounds has already graduated 15 participants from three classes, who were then placed in entry-level positions, says Michael Baker, managing director at the organization. Next year, he hopes the program will produce double the number of graduates.

While grow your own programs can be effective, they require resources, training time and must attract the right people, says Aileen Alexander, senior client partner at Korn Ferry in Washington, who also co-leads the organization’s global cybersecurity practice.

She says successful cybersecurity professionals often share similar skills and competencies. For example, they understand risk, are agile and business savvy, and demonstrate resilience on the job.

“Once you have that framework, you can think about growing from within,” says Alexander, adding that military veterans and business consultants generally perform well in cybersecurity roles. “So much of these roles are moving from a pure technical function to one that’s really business and risk driven.”

She believes HR leaders need to step back to assess their organization’s talent capabilities and gaps, identify who cybersecurity should report to — the CEO, CIO, CISO, or chief risk officer — then decide whether to hire or train new talent. Some mature companies are also rotating inhouse talent by giving them different experiences and exposure, rightsizing from a compensation perspective, and being more deliberate with succession planning.