NP Group Blog

Confronting the Cyber Security Talent Shortage

Posted by James Spear on Dec 21, 2017 11:01:08 AM
James Spear
Find me on:

According to ESG, 45% of organisations are reporting a lack of cyber security skills in 2017. That’s huge number, considering the importance of cyber security and information security consultancy. With cyber breaches costing PLCs 1.8% of their company value (equivalent to a whopping £120 million), is just accepting the cyber security talent shortage enough? I think everyone would agree no. Whether you’re an organisation looking to implement a world-class cyber security recruitment strategy to attract the best talent, or are an investor in an organisation, you’re set to lose money and value if the situation doesn’t change. Our previous blog discusses this cyber security threat in greater detail.

There is an abundance of statistics available on the internet and in the media portraying the dark future for cybersecurity if the talent shortage isn’t addressed. Imagine a world with 3.5 million unfilled information security jobs – that’s 3.5 times worse than it is now. If losses are estimated at £125m per PLC now, they’re only set to increase if the talent isn’t developed to be able to fill these types of roles. My colleague Therese has written an in depth blog discussing this talent shortage which you can read here.

With the it security talent shortage comes the impossible task of finding the specialist expertise in candidates when you’re looking to grow your teams. Whether you're looking for a chief information security officer, or third party information security consultancy, organisations face the same challenges. It’s something I have experience first-hand, as the Practice Director of NP Information and Cyber Security, working with clients who need cyber security recruitment to find specialists immediately, yet it seems a difficult task to find a pool of information security candidates large enough to then find the perfect employee for each and every client. David Shearer, CEO of (ISC)²  suggests that “there is a definite concern that jobs remain unfilled, ultimately resulting in a lack of resources to face current industry threats”, so what can we do to help the situation?


Some large, multinational organisations without the financial constraints of most organisations have addressed this talent shortage and inability to hire through acquiring cyber security companies. Cisco for example has acquired Sourcefire, OpenDNS and Landcope. Microsoft have taken a similar route, acquiring cyber security start-ups since 2014 to build their cyber security defence mechanism. Unfortunately, not everyone has this luxury. Many organisations have a plethora of infosec jobs to fill, but often shelling out $2.7 billion for a cyber security company isn’t a feasible way of building a cyber security talent pipeline for the future. That's why some turn to cyber security recruitment agencies like NP Group - NCC Group did exactly this and found the talent they needed in a time-efficient manner.

Yet there are lessons to be learnt from multinational corporations. Looking at Cisco again, they have launched a cyber security scholarship fund. Although Cisco’s fund is a hefty $10 million, there is potential to replicate this methodology as a way to encourage younger generations to study cyber security related degrees and increase the amount of qualified candidates entering into the marketplace. As part of this scholarship, those who receive a bursary also receive mentoring, training and support from Cisco professionals alongside their professional qualification to ready them for the workplace. With mentoring and coaching programmes gaining increasing popularity in recent years in the digital space, this could easily be represented on a large scale across information and cyber security. It is one thing educating and equipping candidates with the knowledge they need to become excellent security professionals, but it’s another providing the skills required to actively problem solve and work in a team environment. There are many people out there who could be interested in information security careers, but we need to work to attract the to the industry and make the pathway easy. 

Another approach to the cyber security talent shortage is to target individuals who have already started their career. Often, the skills (not the knowledge) of security professionals is transferrable – problem solving, thinking analytically and working under threat. So why not open up the often-siloed cyber security department to engage and collaborate with other departments more closely, to pass on some of that knowledge and encourage horizontal moves, supported by the right education and training. This isn’t a new phenomenon – 87% of information security workers started their careers doing something different according to a GISWS report. But building on and encouraging this statistic to arise is another opportunity to develop rising stars within information and cyber security, and start to fill those seemingly unfillable roles. This means that security recruitment doesn't have to be so one dimensional - you can look at other talent pools you didn't previously think were qualified enough to fill that information security job. 

Although the cyber security talent shortage makes the future seem bleak, it actually provides a real opportunity for employers and educational institutions to upskill their existing workforce, and engage potential candidates at a University level before they even start looking for a job – effectively enhancing your recruitment process. Currently, only 16% of employers believe that over half of their candidates are qualified. So providing a scholarship fund, combined with the skill transfer approach through mentoring and coaching, there’s a great opportunity to turn this statistic on its head and find qualified candidates ahead of your competition. Find out how NP Group can help your organisation through our free download.

Topics: cyber security