Lonely is the night
Rumblings about the security talent deficit are pervasive. Just like news of recent breaches, it’s hard to get through a week without reading an article, viewing a webcast, or attending a conference during which the subject is not addressed. A lack of staff to fill available enterprise information security positions is concerning; the quantity of digital information that requires protection only grows larger every day. Theoretically an increase in work requirements would see a commensurate increase in bodies to complete the work. That’s not happening, though, for various and sundry reasons, but one pretty big reason doesn’t receive as much play as others, and likely not as much as it should: Security vendors.
When you find yourself alone
While enterprises are struggling to keep pace with information security needs, the security vendor market is booming! New tools and services providers pop up regularly, and even through the current market can’t compete with the IPO and M&A activity of the early 2000s, large multinationals are scooping up grade school-aged companies for mucho dinero at a steady rate.
Small companies, just like their bigger, more resourced counterparts, understand that cybersecurity has to be part of the business plan; even those with very limited budgets have IT staff who know basic blocking and tackling must be in place. Much of it is expensive, and nearly all of it is provided by security vendors. Yes, some reliable freeware exists, but only the most bootstrapped—or the most technically savvy—rely solely on what’s freely available.
As a result, vendors get the dollars, which they then turn around and (partially) use to hire as many of the best and brightest as possible, in many cases, luring security staff away from lower-paying jobs in the enterprise.
When there’s no one left to call
The luckiest security pros land at organizations that not only pay better for equal work, but they’re given opportunity to work on interesting projects, the time for which might not have been available in an end user organization where resources were tighter. Some vendor organizations, in fact, hire new security staff for the express purpose of conducting research, building new products, or looking into nascent categories. Free time and creativity are attractive to security practitioners, many of whom come by tinkering naturally and appreciate the chance to spend time focusing on examining new malware strains or the latest attack vectors, just to see how they work. Who wouldn’t want to get paid to observe and find new ways to fix problems? It’s a great gig, and many lucky former security end users are seeing the fruits of their labor in the form of daily solicitations in their inboxes or fetching job offers.
Another lure for the move from end user to vendor employee is the ability to see a variety of security issues in one place. As an end user working at one company, the same types of issues, alerts, and scenarios are a daily reality. Security teams see the same traffic and look for similar threats day in, day out. Working for a SIEM or threat intelligence provider, for instance, one has the opportunity to watch all kinds of diverse traffic and analyze a greater variety of data, across industries and geographies. The universe grows wider as more organizations’ security concerns are brought into the mix, and many security vendor organizations offer the freedom to be part of that universe.
You feel the time is right
This is not to say that many security practitioners don’t like the challenges of protecting one kingdom and becoming an authority on her or his organization’s systems, risks, and threats. Different strokes for different folks, and all that. The reality is, however, more and more enterprises are losing security staff to vendors even as their internal needs grow. A lot of security staff also build their own consulting businesses to get the best of both worlds, thereby taking even more talent out of the enterprise pool. The good news there, however, is that many of those consultants provide the outsourced security-as-a-service that enterprises desperately need.
Say the writing’s on the wall
Many years ago, at a conference far in the past, one subject matter expert—a consultant, trainer, and circuit speaker—proclaimed that the future of security was 80-85% outsourced. While we’ve yet to see a shift that significant (and I, personally, don’t believe enterprises that are able will give up such consequential in-house capabilities), the last few years have seen security vendors scooping up as much talent as they can. Of course, the ebbs and flows in and out of companies—vendor and enterprise—are constant; some who work for vendors take the reverse path back into an end user role, and some entrepreneurs decide they don’t want to deal with the business aspects of running a company.
Whatever the case, the security talent shortage in the enterprise is real, but it may not be for the reasons you think.