Recently, Rackspace Head of Security Solutions Scott Schlueter and Security Delivery Manager Dave Baxter sat down to discuss the cybersecurity talent gap and its organizational impact. Together, they shared how proactive organizations are navigating this challenge and provided insight into the future of this challenge. Highlighting the critical need for resilience, they offered actionable advice on cultivating talent through targeted upskilling, robust training programs, and strategic deployment initiatives.
Q: What’s the situation today regarding the cybersecurity talent shortage?
Scott Schlueter (SS): There is still a significant shortage of talent in various areas within the industry. This occurs when companies lack staff and must find a workaround. It’s important to also note that many organizations are not even able to fully address this gap effectively at all times. Some cybersecurity roles are proving to be especially challenging to fill, especially architecture and compliance advisory roles.
When it comes to architecture, it is crucial to define the task before beginning a six-month project. Similarly, a compliance specialist may have to comply with a specific regulatory timeline and work against a set date. For larger enterprises, having a full-time staff member may be more feasible, but for smaller businesses, this is often not the case. In these situations, companies may need to seek resources from other organizations, causing a persistent talent gap with no clear resolution in sight.
Q: How is the shortage of skilled cybersecurity workers likely to evolve, and what patterns have you observed in your discussions with colleagues?
SS: The U.S. Bureau of Labor Statistics' Occupational Outlook Handbook for Information Security Analysts states that employment for information security analysts is projected to grow 31% from 2019 to 2029 — much faster than the average for all other occupations. As technology advances and organizations evolve, the need for skilled cybersecurity specialists keeps increasing. Job prospects are going to be strong for the foreseeable future. This underscores the pressing need for individuals to enter the field to address the growing demand. And they are.
But even despite the increasing number of people pursuing careers, the process of advancing from entry-level roles to senior leadership positions takes a number of years, often as much as a decade. So, you have a sizeable pool of junior professionals in the industry and a smaller sample of highly skilled, senior-level workers, where demand for their services is consistently high and job opportunities abound.
Dave Baxter (DB): It's a little bit like the Microsoft Certified Solutions Associate (MCSE) certification trend in the 1990s. High demand for certified professionals back then prompted Microsoft to introduce a line of certifications that could be completed within six weeks. As a result, there was a surge in companies hiring individuals with the MCSE certification, despite their lack of practical experience. The current trend of companies prioritizing certifications over hands-on experience is becoming all too familiar in the cybersecurity field.
And there’s a similar trend worth mentioning: Vloggers in the security industry are promoting the idea of obtaining three major certifications within 90 days. These experts have shared their own experiences, tips and study resources to help individuals prepare for the CompTIA Security+, CEH and CISSP exams in a shorter time frame. Emphasizing the importance of dedication and hands-on learning, they believe these certifications are valuable for career advancement in the field.
Q: What responsibilities do individuals have in addressing security and advocating for enhanced incentives or retention strategies?
DB: Companies that are staying out front on this matter are going to prioritize investing in upskilling through various methods such as classroom training, partnering with agencies and vendors, and staying updated with industry-standard salaries to retain talent. Self-learning and adapting to new technologies also play a significant role in maintaining staff skill sets since our field is ever evolving.
Q: What will be the consequences if a company isn’t stepping up and addressing its cybersecurity recruitment and training?
SS: As cybersecurity constantly evolves, it brings new challenges such as securing the DevSecOps pipeline and incorporating AI responsibly. These developments create opportunities for individuals to join the industry through upskilling or migration from related fields, like data science.
DB: Basically, that's been my journey here in 10 years. I moved from risk assessment, customer audit, compliance and vulnerability management to managing encryption and hybrid cloud security. I had to constantly adapt, even if these weren't my specialties. We always like to say, "Real security people live it, they don't just learn it."
SS: A good technologist enjoys constant learning and avoids stagnation by gravitating toward emerging fields. They strive to stay current by focusing on areas with growth potential. If your company is not pursuing new and innovative technologies and investing in security growth, the talent will move on to organizations that are innovating and investing.
I know of organizations that are hesitant to provide blanket training and certification in fear of staff leapfrogging to other orgs. However, if knowledge and certification is acquired and adopted within active projects, then it provides a sense of applied knowledge and ownership which ultimately aligns with the goals in a security program. Leaders should develop a training plan that blends organizational needs with each individual employee’s desired learning path so that each party is achieving upskilling and smart growth.
Q: The budget allocation for security has drastically increased in recent years. According to cybersecurity research we conducted with 1,420 global IT decision-makers earlier this year, 62% of IT leaders increased their budgets over the past year. Is this enough to keep businesses and organizations adequately protected from cyber threats?
SS: In the past 10-15 years, security budgets were often relegated to an afterthought, with the lion’s share of attention placed on IT infrastructure and applications. This oversight led to inadequate security measures, leaving organizations vulnerable to breaches. As technology and threats evolve, investments in security are crucial, and companies need to shift mindsets to prioritize security rather than treating it as an afterthought.
Security cannot be the responsibility of one department. The savvy CISO will deputize their peers to drive security best practices. Security leaders will also benefit from advancing other departments IT strategies by leveraging security dollars to help fund platform, data and application initiatives that can meaningfully lower organization risk and technical debt. Innovative investment means that security is baked into all strategic initiatives, and not just another tool to overlay or restrictive workflow.
DB: There is a starting to be shift toward allocating a higher percentage of the budget to security, especially for companies handling sensitive information. It's crucial for businesses to prioritize security and staffing issues to protect themselves and their customers. That way they can keep making progress and focusing on building secure systems.
The 2023 Cybersecurity Research Report
About the Authors
Manager, Global Cloud Security Solutions
Scott Schlueter has over 20 years of experience in information technology across diverse industries including higher education, enterprise and managed IT, and healthcare. As an Information Security expert specializing in security architecture and risk-based strategies maximizing security goals, he has become a dynamic leader and articulate communicator with a talent for building business processes with an emphasis on automation and fostering relationships among business units and principles. He is a certified information security professional with extensive experience in enterprise project management, mergers and acquisitions, and maximizing effectiveness of security controls.Read more about Scott Schlueter