At the beginning of 2016, the Cloud Security Alliance conducted a survey of IT security professionals that focused on, among other things, the growing gap between the high demand for skilled IT security professionals and a relatively low supply of them. The survey results also revealed that most enterprises (94.3%) expected their IT security budgets to either increase or remain flat. Around the same time, Forbes reported on a study that found that worldwide, there were going to be one million unfilled IT security job openings in 2016.

Fast forward a year and the skills gap remains the same. This shortfall is troubling because, as the CSA survey revealed, while enterprises might look for advanced technologies to protect themselves from a data breach, it is a lack of skilled professionals that’s holding them back from fully utilizing new security solutions and preventing a security incident.

In this blog post, we will explore some of the ways CISOs, CIOs, and hiring managers can acquire the necessary talent to reduce the skills gap and minimize their IT security risk. We will also provide helpful suggestions for IT and IT security professionals to help them take advantage of the large number of high-paying job opportunities in the field of information security.

Want to conduct better interviews?

Get a list of the 200 most commonly asked IT security interview questions.

Download Now

The problem requires a multi-pronged solution

There are several reasons why there are so many unfilled IT security job openings. A 2016 study by CloudPassage found that many U.S. universities offering a computer science curriculum require few, if any, cyber security courses in order to graduate. In fact, the top 10 U.S. computer science programs don’t require a single cyber security course, and only one of the top 36 programs does so. There are at least two things hiring managers and recruiters can do to remedy this:

  1. Take advantage of job fairs: Most schools have regular job fairs where students can meet with potential employers. This is a great opportunity for hiring managers and recruiters to stress the importance of cyber security education and training and make the students aware of the depth of opportunities available to a well-rounded computer science graduate.
  2. Build internship programs with IT security in mind: Internship programs are a great way for an enterprise to acquire talent while giving college students a chance to gain valuable experience. Enterprises should encourage interns in the IT and IT security departments to pass specific courses in return for a full-time position upon graduation.

Relying on recent grads will only help to fill entry level positions. Mid-level and senior IT security positions are even harder to fill because they require more advanced skills that can only be attained from continued training and years of experience. There are several ways to fill these types of roles, and enterprises may need to combine these methods to meet their goals.

Accelerate cloud adoption and cross-train IT professionals

One of the primary advantages of using a cloud-based service instead of an on-premises application is the cost savings that come with it. Another advantage is that by using an enterprise-ready cloud service, an organization is effectively outsourcing the underlying infrastructure security needs to the cloud service provider (CSP) at no additional cost. Companies such as Microsoft, Salesforce, and Box deliver platforms that are on-par with or more secure than most enterprise datacenters.

There is another, often overlooked, security advantage to moving to the cloud. As an enterprise migrates their systems to the cloud, they may find themselves with IT professionals whose skills are no longer needed. These individuals are prime candidates to retrain in IT security, and such cross-training can have the biggest impact in closing the IT security skills gap.

What can IT and IT security professionals do?

As more enterprises migrate their on-premises infrastructure to the cloud, some IT professionals may find that their skills are no longer needed. Combine that with the continued outsourcing of IT services to developing countries and it becomes clear that IT professionals need to expand their skill set in order to stay relevant. IT security training is the perfect avenue for these professionals to stay competitive in today’s job market.

Refocusing on IT security can also yield more money. The IT security industry is expected to grow from $75 billion in 2015 to $170 billion in 2020. The median U.S. wage for IT security analysts — an entry-level position — was $90,120 in 2015. By comparison, the median pay of a computer and network systems administrator was $77,810. There is a tremendous opportunity for IT professionals to take their careers to the next level and attain sustained job security.

For those already working in IT security departments, they should focus on skills, experience, and training in areas that will be most in demand in the upcoming years:

1. Incident response management

80.4% of the Cloud Security Alliance survey respondents indicated that incident response management skills will become more important or much more important in the next five years.

2. Analysis expertise with very large datasets

As mentioned earlier, most enterprises find a lack of skilled employees a far greater barrier to IT security than available technology. While an organization may have no shortage of relevant data that could prevent a breach, they often lack the necessary talent to make use of that data. This is why 74.5% of CSA’s survey respondents identified this as a skill that’ll become more or much more important over the next five years.

3. Communication with non-IT departments and executives

This is one of those soft skills that may go unappreciated until someone is in a managerial or executive position. But even for day-to-day security practitioners, communication is a key skill to develop. Being able to communicate a security risk effectively plays a large role in how seriously the risk is taken and what kind of solution is implemented.

4. Security certifications

Security certifications are a great way to keep one’s skills sharp while showing dedication to one’s their professional growth. The two top security certifications are Certified Information Security Manager (CISM) and Certified Information Systems Security Professional (CISSP). A detailed comparison of the two can be found here.

Lastly, there are a host of online security training resources out there—some paid and some free—IT professionals advantage of in order to build the skills that will be needed today as well as far into the future.