Research

The Challenges of Acquiring and Retaining Information Security Staff

Written by Reflare Research Team | Jun 1, 2018 1:52:00 PM

Employers need to recognise that hiring people with a single skill set into an infosec role will only work for a short time frame before there is either burnout, or the person you hired realises that this job doesn’t match their interests and aspirations.

First Published 1st June 2018

Just because they can do the job might not necessarily mean they want to.

4 min read  |  Reflare Research Team

One of the main problems companies and organizations face when trying to increase their information security preparedness is the acquisition and retention of staff. In this briefing, we will take a look at why specialists are rare and why identifying them can be tricky.

Young Markets

The importance placed on information security by the general public has increased sharply over the past decade. While secure systems were still somewhat of an afterthought for many companies in 2008, they are a key element of corporate planning in 2018.

Since this means that significantly more companies are investing more money and time into their security, it also means that significantly more staff is required to perform these actions.

Unfortunately, as is often the case in young markets, the supply of specialists could not keep up with the demand.

Creating Hackers

While select universities offered information security courses starting from the early 2000s, such programs were not widely available or recognized by employers until a decade later. This placed those interested in working in information security, but also interested in a university degree, in a rough position: Either study more general IT courses and hope they can be converted into information security work, or forego higher education altogether and risk being ostracized by a job market that increasingly requires degrees.

In hindsight, very few employers in 2018 have university requirements for information security staff, but the uncertainty pushed many young people toward more generalist IT studies and ultimately into fields of work unrelated to security.

At the same time, some of the fields within the greater realm of information security are so highly specialized that it is hard to train generalists for them. Blackbox auditing, cryptography and social engineering are examples of fields that require a level of natural aptitude to study successfully.

Lastly, for some individuals, compensation for their newly acquired skills can be significantly higher on the black market than in a corporate role.

This combination of relatively high career risks involved in choosing to work in information security a decade ago, the aptitude required for some of its sub-fields and the (slowly closing) gap between money to be made working legally and illegally lead to the current lack of capable talent on the primary job market.

Identifying Hackers

Once potential new employees or consultants are found, companies face the second major challenge: Assessing the candidate’s skill level.

Similar to many other IT fields, a university degree is not a guarantor of skill. The large faction of information security workers without any university degree amplifies this problem. At the same time, the field of information security is expanding so rapidly that no one is a master of all related skills.

From our experience, around 50% of all applicants for corporate-level infosec positions (regardless of whether they have a university degree or not) are grossly unqualified for the work. This means that they display a complete lack of understanding of core concepts.

Larger organizations with established infosec teams have the option to let their existing staff interview and vet new potential hires. For small and medium organizations, staff selection is more of a gamble. With the large information security consultancies charging prohibitively expensive rates, often the only available option left for small businesses is to take a chance on smaller consultants or unknown staff. Unfortunately, incompetence is usually only exposed by a breach. And once the breach happens, it may be difficult for smaller organizations to recover.

While information security certifications such as CISSP are good indicators of whether a candidate understands a specific subfield such as risk management, they say little about other fields.

Lastly, the difficulty of identifying capable staff can also easily lead to situations where capable employees are not remunerated or placed appropriately. This in turn may lead to insider threats or coverage gaps. We will take a more detailed look at this topic in upcoming briefings.

Summary

A combination of remuneration gaps, career uncertainty, aptitude requirements and a lack of university programs in the early 2000s is leading to the current shortage of information security staff. As security continues to enter the mainstream, we expect this situation to slowly ease over the coming years.

At the present time, the only reasonable method to assess a potential hire’s information security skill level is through existing staff. This creates a chicken and egg problem for employers which impacts smaller organizations harder than larger ones.