6 Tips for Overcoming the Security Skills Gap

It‘s almost become a cliché that there are too many security jobs for too few qualified applicants. In fact, according to recent research, this problem has increased year over year, with 53% responding that they’ve faced a skills shortage in this area.

Tim Brown, VP of security, SolarWinds MSP
Author: Tim Brown, VP of Security, SolarWinds MSP

And the stakes of tackling cybersecurity challenges have never been higher. With an increase in the number of regulations with mandatory breach reporting requirements, the public grows ever more aware of the dangers of data breaches while businesses face increased visibility and scrutiny.

As a result, many businesses increasingly recognize the need for security services. Which means Managed services providers (MSPs) face both a challenge and an opportunity. Businesses will increasingly expect their MSPs to be able to handle all things IT, including security. Yet, with a skills shortage, can MSPs hope to tackle this critical challenge? Today, I’ll look at what steps you can take in a competitive skills market.

Why is there a shortage?

We should probably address why the shortage exists in the first place. For starters, the obvious answer comes from the relative infancy of the field compared to other IT roles. This leads to fewer people with a background in security. Add in the fact that technology itself has become more complex and disparate, and finding the right talent can be incredibly challenging.

However, we should also consider that there’s simply a proliferation of needs in the security realm. The industry needs SOC analysts to manage and analyze incoming alerts. It needs forensic experts to analyze attacks, preserve evidence, and potentially interact with authorities. It needs security engineers and architects to design networks and systems for security. The industry needs cryptography experts, pen testers, threat intelligence analysts, project managers for rollouts, cloud security specialists, and communications professionals to help around incidents. Simply put, there are a plentitude of needs, leading to a lot of roles and specializations that teams need to look for. Finding experts becomes more challenging as these needs continue growing.

I mention these roles to put the shortage in perspective. Many positions require specialists. But as an MSP working with SMBs, you most likely won’t need an advanced cryptoanalyst on staff. And even if you were looking to hire specialists, you won’t need to hire a full complement of security experts—you’d only need to choose those with specializations that fit your client base.

In short, the overall skills shortage numbers don’t tell the entire story, and they certainly don’t tell your story. So keep that in mind if you worry about finding quality candidates.

Finding your candidates

Despite my point about specialization, finding security professionals can still be a challenge. So here are a few pointers:

  1. Check your expectations: Hiring someone is daunting, to say the least. You’re entering an important business relationship with someone based on maybe only a recommendation, a resume review, and an interview. Because making a bad hire can hurt the business, some organizations adapt by setting insanely high hurdles for candidates to clear. If you’re looking for a security professional/generalist, but want them to have 10 years experience in a security role, you may need to lower your expectations on the experience. The skills are what matters here. Ask yourself if they have the technical skills and aptitude to continue growing? Do they have the curiosity to stay on top of the latest trends in the field? Do they have the analytical mindset needed to make sound judgments under pressure? Yes, experience is still important. Don’t forsake that entirely. I simply want to remind you to allow some wiggle room when looking for a good candidate.
  2. Hire recent grads: Recent graduates with a security background could complement your existing team nicely. You may not want them interfacing with clients immediately or creating complex security plans, but newcomers to the field can be a great way to grow your practice. Plus, they can be a great addition if you have someone a little more senior in security to show them the ropes.
  3. (Re)train a point person: Try designating one employee with the interest and aptitude to become your security “guru.” Giving them additional time to train, attend conferences, and follow the press. Let them train up and become the go-to person for your MSP. They can help you improve security services and pass on knowledge to the rest of the team. This won’t just help your clients; with the increase in attacks against MSPs, you really need to have a security expert on staff to protect your own business and team.
  4. Choose the right software partners: Don’t forget to review the resources your software vendors provide to help you become stronger technology and security professionals. A good vendor should provide resources like blogs, eBooks, reports, and even boot camps to help you grow your skillset. It can be especially helpful to have vendors curate topics so you don’t get overwhelmed. Remember, your success is their success—make sure anyone you’re retraining to become a security guru doesn’t overlook those resources.
  5. Contractors: Another excellent option is to hire an expert on a short- or long-term contract. This gives you a chance to bring in a security guru to help set initial policies, train your team, and offer services (on a short-term basis) while your team gets up to speed. They can also serve as a mentor for someone in-house you’re appointing as your security guru. Plus, you always have the option to hire the contractor if your security business starts booming and they fit well with your existing team.
  6. Partner with a third party: This may be your best option. Finding a good security partner you can lean on helps reduce the burden of hiring (and paying for) your own talent in house. A good security provider will already have the talent in house so you don’t have to go through the exhausting candidate search process. Plus, they can often attract more candidates simply due to their specialization.

Getting around the skills shortage

Overall, the IT industry does face challenges in hiring new security professionals. As MSPs increasingly become the focal point for cybercrime, they will need to find ways to overcome this shortage. One bad incident could put their customers—and potentially them—out of business. However, the tips above should give you ideas on building your security bench even if you’re starting from scratch.

Tim Brown is VP of security at SolarWinds MSP. Read more SolarWinds MSP blogs here.