Good help can be hard to find, especially when it comes to safeguarding sensitive corporate data.
That’s the takeaway from a recent KPMG poll of over 300 senior IT and HR staff, which found that cyber security has become a serious problem for many organizations. Seventy-four percent of businesses confirmed that current and emerging cyber threats demand new skills—skills that their current staff don’t possess—and almost as many respondents (70 percent) admitted that their IT organization lacks specific “data protection and privacy expertise.”
The fact that these skills are in high-demand is part of the problem. Over half of those surveyed indicated that there is difficulty in retaining individuals who specialize in cybersecurity due to “aggressive headhunting,” and there are greater turnover rates because these high-value individuals trade up for employers with deeper pockets. While the data doesn’t specifically address this, it suggests a sharp capability gap between the largest organizations who can afford the best, and everybody else.
“The issue here is that the security industry is suffering from a staff shortage,” John Colley, managing director at (ISC)² EMEA, says. “There’s only one way to address that: to provide adequate training, skills and certifications to help nurture the workforce. That includes hiring people with less experience and growing them into the job, while ensuring people have the correct professional qualifications.”
Another issue is breadth of skills. Sixty percent of KPMG poll respondents indicated that they are concerned with having cyber experts who can effectively communicate outside their department. This is a key issue, because executives and business leaders need to understand the gravity and nature of the threat to properly assign priority. If cyber experts are broadcasting signals that get lost in the noise, their expertise will go to waste.
If there aren’t enough professional cyber threat experts to go around and companies can’t afford to retain them, one solution is to expand the pool of potential applicants. KPMG’s research shows that over half of companies surveyed would consider actual hackers to supply information to their IT departments, and would go so far as to hire individuals with a criminal background. These statistics speak to both the specific nature of cyber security expertise, as well as the seriousness of the skills gap.
The skills and perspectives needed to properly respond to current threats and anticipate future assaults seem to be best honed in the service of delivering those threats. It’s not unheard of, either. Kevin Mitnick is a well-known security consultant who was convicted on federal hacking charges, and in October two Cambodian hackers were given shortened prison terms when they agreed to provide security services to government agencies.
What is new is a widespread skills shortage urgent enough to push employers to think about hiring convicted felons to address a growing threat. As manufacturers continue to innovate smart, connected products that will store data capable of being illegally accessed, the size and complexity of security challenges will only continue to expand.