Skills ‘shortage’ in security is not about big numbers

…and four ways in which CISOs are tackling the challenge

Skills ‘shortage’ in security is not about big numbers - CIO & Leader

In the last 3-4 years, several surveys have concluded that skills shortage is one of the top challenges for the enterprise community. Almost all major conferences have devoted hours of planned—and more importantly, unplanned—time to discuss this challenge. In India, no government functionary saying anything on cyber security fails to mention skills shortage, followed, of course, by what the government has been doing to close the gap.

It is not just India. The latest annual State of Cybersecurity 2018 survey by ISACA, the preeminent global body of information and cyber security professionals, reveals that skiils shortage continues to remain a top challenge for IS community. As many as 59% of enterprises report that they have open (unfiled) security positions and more than half (54%) report that it takes, on average, three months or longer to fill open positions.

But in most of the narratives, especially in India, it starts and ends with big numbers, giving an impression that it is the overall workforce size that is the challenge.

Is it really so?

This time, in our annual CSO Summit (which took place last week), I decided to get into the bottom of the issue. My hypothesis was that the numbers thrown to show the gap, though convenient, do not tell the whole story. Why, I even doubted, if the number story is true. By that, I do not mean that skilled workforce availability per se is not an issue; but I doubted if that is the issue for enterprise IS managers.

So, I took the opportunity of using one of the event components—called Security Cafe—in which a group of delegates take turns to discuss a specific topic for 10 minutes sitting around a table before moving to discuss another topic sitting around another table. While our sponsors were busy getting inputs/pain points from the delegates, I occupied a table to ask the senior IS managers this very question—is there a skill gap and if yes, what exactly does it mean?

In the one hour, I managed to speak to 19 such managers, in four rounds, in groups of 4-5. It was the perfect dipstick setup. Neither too short; nor too long. Neither boring two-people conversations nor a big audience answering a few questions by raising hands. The format was a close, warm discussion among 4-5 people.

And my hypothesis turned out to be completely true. While every single participant admitted that there is a skills shortage, almost all of them rejected that it is a question of number—or absolute workforce. Among the participants were senior managers/CISOs from Indian Oil, Godrej, L&T and the likes.

Instead, the consensus was that it is a question of specific skills.

“Earlier, there used to be one endpoint technology; today, there are many. Where do I get people, who understand all of that?” asked one.

“Today, security is everywhere, not just in computers. We do not have people who understand all of that,” said another, essentially reiterating the point.

But most of them pointed to super-specialization driving this gap.

“A network security guy does not understand advanced threat analytics or new data protection regulations,” said another, identifying this situation as the main cause for this apparent skill gap.

“For a mid-sized company, I cannot hire a dozen of these specialists,” said another.

The finding by ISACA survey also illustrates the same point. As many as 30% said that fewer than 25% of applicants are qualified for the position they apply for.


Addressing the gap

I asked how they are addressing this skill gap?

There are four broad approaches that they pointed to:

  • Automation: There’s a lot of talk about AI and analytics solving security challenges, but most have just started experimenting. While agreeing that it is the way forward, most senior IS managers said it is a little futuristic because of the following reasons. One, technology itself is not ready. Two, you just cannot throw your security personnel
  • Outsourcing: Outsourcing is the most practical way out and a predominant majority expressed their reliance on it for handling the super specialist requirements in security. “We cannot hire so many specialists; they do not have enough work. And we cannot give them growth. So, they are better working for someone for whom it is a revenue earner,” said a CISO. Peter Drucker would have been proud. 
  • Training/Rotation:  Many are trying to train their security professional in new skills. While many have already made their employees get certified, a few admit that it does not work that way. Only a miniscule fraction of professionals do retain what they learn if they are not actively working on something.Quite a few have turned to rotation of people across responsibilities within the security domain. “The idea is to create all-round security professionals,” said a CISO, even while others admitted to trying this but failing. “There’s stiff resistance by many of the practitioners,” confessed another.
  • Dissecting the process: A few large companies ae trying to do what the outsourcing service providers have done with highly specialized skills like engineering service or product design. They are trying to dissect all security functions into a skills pyramid in a manner that 70-80% of the work can be done by generalists while for only top-of-pyramid functions, you require specialists. But at this stage, this is more of an idea and only a handful of large companies are trying it.

Outsourcing is clearly the most preferred solution, even though most are looking at automation with a lot of hope for the future!

The discussion on which this piece is based was informal and unstructured, with explicit promise that they will be off-the-record; that is the reason we have not used the names with the quotes. Some of the IS professionals who participated in the discussion were Aashish Narkar (TCS), Akhil Verma (Fincare Small Finance Bank), Amit Sharma (Apollo Munich), Kishan Kendre (Reliance), Madan Mohan (Idea Cellular), Nitin Gaur (Omega Healthcare), Rajiv Nandwani (Innodata), Rohit Kachroo (Indiabulls), Sandeep Banerjee (Bandhan Bank), Sandeep Jamdagni (Ashiana Housing), Satish Asnani (BHEL), Satish Warrier (Stockholding Corp of India), Shakil Ahmad (Samsung R&D), Shweta Nair (Capgemini), Sudin Baraokar (SBI), Uday Deshpande (L&T), Vinod Negi (Dewan Housing), V Swaminathan (Godrej) and Yask (Indian Oil)


Add new comment