Filling the Cloud Security IT Skills Gap... and Preventing Attrition

By Brian Dye, Corporate Vice President & General Manager/Corporate Products, Intel Security Group

With all the various cloud services being offered in multiple deployment options, coupled with the 500,000 new security threats discovered daily, the strain on IT staff has never been greater. The need to retain cyber-security pros, versed in all the cloud specifics, has never been greater. Unfortunately, competition for those professionals is also at an all-time high.

More than 209,000 cybersecurity jobs are unfilled in the U.S., and the number of postings has jumped 74% percent over the past five years, according to Peninsula Press, a project of the Stanford University journalism program. Demand is expected to grow by another 53% through 2018. And as IT evolves, the skillsets must evolve – meaning this shortage is only doing to get worse.

“If the predictions are even partially true, we’ll be in a world of hurt in our industry if we don’t act now” to train the next generation of cyber security experts, said Christopher D. Young, Senior Vice President and General Manager, Intel Security Group, in a March 2016 RSA Conference keynote.

Cloud computing, in particular, presents a host of new security issues to IT organizations related to issues such as protecting data, facilitating encryption and security protocols across multiple cloud providers, and negotiating service level agreements (SLAs) that ensure security and compliance. Never before has your cloud security team been more important. Here are a few techniques CISOs can consider.

Bite the bullet on cost. If you want skilled professionals, you have to pay for them. While there is little information available on pay rates for cloud-specific security skills, lead software security engineers earn an average of more than $233,000 annually, according to Dice.com. This makes them the highest-paid line staff in the IT profession. But consider their value. It’s estimated that the average consolidated cost of a data breach is $3.8 million. And that doesn’t account for the massive reputational damage that can accompany such attacks. Funding of course is always a challenge, but investing in automation can both pay for the premium talent you need and ensure they are focused on your hardest problems.

Define career paths. Pay is overestimated as a factor in job satisfaction among knowledge professionals, and security is no exception. In fact, nearly 30% of respondents to the SANS Institute’s 2014 Cybersecurity Professional Trends report listed career advancement as their main goal in pursuing a new position, edging out compensation.

This is where the cloud presents opportunities. With cloud security standards still being defined, your security pros can take on new and critical roles in creating strategies and governance standards for your organization. Your training investments in this area will pay off for your organization as well as your people.

Cloud security will also open up new career paths, and creating well-defined career paths is a good retention strategy in any field. Cloud offerings and configurations are changing so rapidly that ambitious pros should find plenty of opportunity to grow.

Use the cloud to vary the responsibilities of your team by offering assignments in emerging specialty fields like software-defined data center security, hybrid cloud authentication, shadow IT identification, mobile device management, and threat-detection analytics. There are even new certifications, like Certificate of Cloud Security Knowledge and Certified Cloud Security Professional, that offer additional room for growth.

Optimize the skills of your team to the different types of cloud. For example, security for public cloud infrastructure requires a highly technical security professional who brings their security knowledge and business context to that public cloud infrastructure (likely with incremental training). By contrast, IT security for SaaS requires more policy and SLA audit and analysis skills more than technical depth.

Develop Cloud SMEs. Here’s another tactic: assign individuals to become cloud subject matter experts (SMEs). For example, identify a talented pro to become your IaaS SLA expert, then have him/her brief your leadership on your strategy and/or the steps you’re taking. If you have a chance to present the report to senior executives, who are increasingly putting security front and center, it’s a great way to recognize the contributions of a talented staffer (never mind stress the necessary investment needed).

Encourage collaboration. Security is the most collaborative of all IT professions, with experts freely sharing new discoveries and prevention tactics. Sponsor your best staff to represent your company on committees and local networking groups and to attend and present at conferences. Yes, there’s a risk they’ll be hired away, but your willingness to invest in their visibility is a powerful argument in your favor. In most cases, cloud security requires collaboration with 3rd-party cloud service providers, especially when drafting your SLA – who better to help contribute to the conversation?

Provide training opportunities. The risks that dominate the cyber security field change continually. Investing in skills development isn’t a “nice to have.” Your best people should be selected for the best training programs. While you might be enhancing their marketability, the more important issue is that you’re protecting your company.

Don’t forget diversity. We are seeing the value of driving a diverse workforce, and security is no exception. Given the talent shortage it can at times feel like a luxury to consider diversity, but a more balanced organization will operate more effectively and increase the overall productivity of your team.

Retaining good cloud security employees may not be easy—but the consequences of not doing so are worse. We have the hard challenge of securing our organizations, and need the best resources possible to do so.