The poor scalability of cybersecurity consulting services is exacerbating the challenges of meeting surging demand, forcing security service providers to build creative recruitment strategies and look overseas to meet demand, according to the head of one fast-growing security consultancy.
Speaking with CSO Australia just weeks after he joined pen-testing and auditing firm Securus Global, CEO Chris Williams said the company – which hopes to hire 10 new security specialists over the next 12 months – has recently recruited experts from as far afield as Brazil, London, and Portugal.
“It is that hard” to find suitably skilled professionals, he said. “In Australia, there's only a very small group of good security analysts and hackers. So you either start playing the chess game and moving everybody around [between companies], or you go elsewhere. I went globally, looking for the best I could find.”
The issue has produced common problems across the entire security industry, where consultancies are fighting for skilled professionals in a small pool and the labour-intensive nature of the job has made it difficult to scale up organisational capabilities.
“The biggest problem is our ability to provide the capability to service that demand,” Williams said. “Like any professional services business, security is not really scalable: there are no multipliers, and one person per day gives one FTE value to the customer. So it's a challenge for us to find ways to keep up with it.”
Recent research into the cybersecurity skills pipeline hasn't offered much relief.
In the Frost & Sullivan-backed ISC2 Global Information Security Workforce Study, released earlier this year, 62 percent of respondents said their organisations had too few information security professionals – up notably from the 56 percent flagging a shortfall a year earlier.
Frost & Sullian extrapolated the ISC2 figures to forecast a global shortfall of 1.5m information-security workers, with just 195,000 new infosec professionals hired globally this year.
“A security-conscious end-user community would seem to be an essential line of defense,” the report notes, “but the survey respondents are showing less confidence in the effectiveness of end-user security training and education.”
Read more: Australian IT-security spending outpacing the world as vertical-industry spending slumps: Gartner
This lack of confidence segues into the broader issues limiting security skills availability: “In the final assessment, the strategies of investing in security technologies, personnel, and outsourcing will be insufficient to materially reduce the workforce shortage,” the Frost & Sullivan analysis warned.
“An expansion of security awareness and accountability throughout the organization is required. Casual attempts at security awareness and education only go so far. A more impactful approach is to embed real security accountability into other departments, in particular IT; and for the IT and security departments to function more collaboratively.”
As a consulting organisation, facilitating this embedding is high on the list of priorities – as is getting the staff to make it possible.
Williams has been looking internally and thinking laterally in considering possible solutions, with one option revolving around the development of new, more-scalable services – staff security-awareness training is one option – that can be delivered to corporate customers with an online component.
This service, like another mooted Web-discovery tool and others in the works, would expand the Securus range of services and generate new revenue streams that can be invested into staff recruitment and training.
“If we can use that cashflow to start a bit of a graduate program internally, this will help us,” Williams said. “It would help break that cycle that graduates are in, and it means they wouldn't get thrown to the wolves from day 1; it would give us a place to get them up to speed without throwing them out on customer sites.”
In the longer term, expanding away from the one-on-one consulting engagement would not only bolster the company's capabilities but would “take a bit of the pressure off that demand for individual face-to-face engagements,” Williams said. “We're looking for all sorts of services that will differentiate us and add value. We'll never lose the consulting part, but that's not to say there aren't other services that we can deliver using different models. We've positioned ourselves to streamline the business and get it ready for that next growth phase.”
Want to know more?
Read more: Cybersecurity, Meet SAM
Why not become a CSO member and subscribe to CSO's mailing list.
Get newsletters, updates, events and more right here.