Bluelock, an Indianapolis-based cloud provider of disaster recovery services, has had to struggle to attract the right security staff to help the company develop and manage its cloud service.
Being based in the Midwest, the company has to compete against both the West Coast and East Coast for talent. As Indianapolis becomes more of a tech hub, they compete with other local companies, as well.
The competition is fierce for developers and IT professionals, but even more so for security experts, said Jeff Ton, executive vice president of products and services for Bluelock and a former CIO for Goodwill Industries.
With security skills a necessity for nearly 25 percent of its workforce, the company has hired aggressively and fought to keep its employees. In addition to beefing up benefits, Bluelock has focused on working with its IT staff to develop their individual careers by putting an emphasis on continuing education and interesting projects. For the most part, the approach has worked and attrition rates are low, Ton said.
“You have to attract new talent, and once you attracted them, you have to keep them,” he said. “So we have to make sure that they see Bluelock as an attractive place to work.”
Developers and IT professionals have always been in short supply. Yet, with breaches regularly making headlines, workers with cyber-security skills are finding themselves in even higher demand. Companies are having trouble finding qualified candidates, and when they find them, they have trouble retaining their new hires.
In a 2015 survey of 14,000 global respondents, Frost & Sullivan found that 62 percent of respondents felt they had too few security professionals, compared to 56 percent who felt the same in a 2013 survey. Based on the demand, the research firm estimated that the shortfall in global information security workers would reach 1.5 million in 2020, even though almost 200,000 skilled workers were expected to join the workforce in 2015.
The shortfall means that hiring cyber-security professionals is expensive. Workers in IT security get 9 percent more than other IT workers, or about $6,500 per year, according to Burning Glass, a provider of data-analysis technology for human-resource groups. In 2014, there were almost 240,000 postings for positions having to do with cyber-security, accounting for 11 percent of all IT jobs.
Much of the demand could likely be offset by more efficient use of skilled workers and more intelligence tools, said Uday Veeramachaneni, co-founder and CEO of Pattern Ex, a startup that uses artificial intelligence and pattern-recognition software to identify attacks that resemble issues that analysts have previously discovered.
To date, most companies have been very inefficient in how they secure their systems—for the most part, not through any fault of their own. Information-security technology has typically been a hodge-podge of products and systems that companies often lack the expertise to integrate. As a result, many companies’ current approach to security is just throwing more bodies at the problem, he said.
“Most companies, when they find that [they] are missing attacks, the natural reaction is to hire more humans,” Veeramachaneni said.
Companies Get Creative to Relieve Shortage of Security Professionals
“But the root cause of the shortage is that you have, in effect, inefficient tooling. You need tools that are smarter and can augment the human. Otherwise, you are not going to be able to address the shortage.”
Veeramachaneni expects that better security technology can help the humans peer through the weeds and locate the real threats much more quickly, saving time and allowing humans to focus on triaging a small number of alerts.
Yet, for many companies that have little or no security staff, such technology, which is designed for trained security analysts, may not help. Instead, the market has to find ways to spread the knowledge of the current supply of cyber-security workers around to reach more companies.
In many ways, that’s just what cloud-security and managed-security service providers (MSSPs) are doing today. Both consolidate security expertise—another reason that salaries for cyber-security professionals have risen—and then deliver security offerings to the customer, as a cookie-cutter service in the case of a cloud firm and as a more flexible managed offering for MSSPs.
However, other firms are finding ways to divvy up the experts’ time, allowing companies to gain the benefit of security specialists without having to fill a full-time position. Unlike consultants, the worker is not there for a single job, but hired for a specific long-term function, said Ken Baylor, CEO and founder of Stealth Worker, a startup that enables fractional assignments for security professionals.
“If you look at how consulting is done, you hire someone and they hand you a report and leave,” he said. “With our service, you can hire cyber-security experts quickly, but it is really to build out your team.”
Stealth Worker’s most popular service is a virtual chief information security officer (CISO), a top-tier professional that may work for four or five different companies, each for 10 hours a week.
“There are a lot of companies that need people to run their whole program,” Baylor said, adding that a specialist CISO can quickly get a company up to speed. “It’s like when you build your first house—it is hard and you make a lot of mistakes, but the next one is easier. It’s the same when rolling out a security program.”
The trend in finding ways to share security experts’ time—the time-sharing of effort—does not end there.
Other companies are finding ways to bring in freelancers to help companies with specific security problems. HackerOne and Bugcrowd, for example, are two startups that have focused on finding ways to offer a specific security service, vulnerability assessments and research by allowing experts to freelance. Bug bounties are a way to pay for vulnerability assessments of Websites, services and software, allowing a company to pay only for results—actual bugs—and not a permanent hire.
Companies will have to find additional ways to work around the shortages in security professionals, Bluelock’s Ton said.
“The problems are not going away,” he said. “I think the challenge is to figure out how people are going to fill those roles. That is going to be one of the critical pieces in security over the next 5 to 10 years.”