Companies can't find enough qualified security personnel, and fixing it requires "a fundamental shift in how businesses recruit, hire, and keep security talent," according to a VentureBeat
article by an Intermedia security executive:
The trickle of security students emerging from post-secondary schools may not be fully prepared to tackle complicated security issues -- what we need are people who can protect businesses environments from everything from spam and BYOD vulnerabilities to complex threats like APTs and spear phishing. Second, certain companies may not know what to look for in a professional. Third, when skilled professionals are hired, they can often be overworked to the point where they don't have the time to keep up with the latest developments in the field -- and even in their own security tools... The fundamental problem facing the skills gap, however, is that there aren't enough people coming into the field to begin with. Here, companies need to do two things: step-up their advocacy when it comes to promoting cybersecurity careers, and look internally for employees who have the skills and desire to take on a security position but need the training and support to succeed...
Finally, businesses need to recognize that security threats today go well beyond just one department. Every employee should be responsible for knowing what to look for in an attack, how to report a suspected threat, and how they can simply disengage from content and files they deem suspicious. Basic security training needs to become a part of the onboarding process for any employee -- especially for those in the C-Suite, where a greater number of spear-phishing attacks occur.
The article also cites a study which found "about a quarter of all cybersecurity positions are left unfilled for about six months