Deloitte expert recommends using tactics to compete for the pool of security pros, including offering new incentives like student loan repayment.
Cybersecurity has evolved beyond the IT department--it is now a business imperative across all departments and all industries. Some estimates predict that the global shortage of the information security workforce will hit 1.8 million roles by 2022.
SEE: Brute force and dictionary attacks: A cheat sheet (free PDF) (TechRepublic)
Anthony Russo, a principal with Deloitte Advisory, Cyber Risk Services Practice, said that the problem is that everyone is competing for the same limited pool of in-demand professionals.
Another challenge is that there is no one-size-fits-all skillset to fill these jobs. Some cyber security jobs require specific technical skill sets while other roles require leadership skills, strategic thinking, and the capacity to communicate technical details to executives and corporate boards.
Vishal Salvi, chief information security officer at Infosys, said that security leaders will need a higher level of trust and support from corporate leadership than in the past.
"Being good at technology is no longer enough," he said. "A CISO needs to speak a business language and give the board an assurance that where you're going is the right direction."
Here are three ideas for revising your strategy for hiring security professionals.
Look for versatile and adaptable people
Organizations need to recruit professionals who can adapt with the growing threat landscape and in some cases, shift to new challenges. One example is threat intelligence--this specialization is not new, but it's becoming more important as organizations move from reactive to proactive postures.
SEE: Security Response Policy (TechRepublic Premium)
Russo said organizations are struggling to attract versatile cyber professionals to manage risk.
"As new cyber threats and actors emerge, the approaches to battling cyber threats must also evolve," he said. "The skill and talent gaps to combat this span across every cyber domain, both newly emerging specializations and existing cyber focus areas that are becoming more prevalent as organizations mature their cyber capabilities."
Dani Michaux, a principal at KPMG Cyber Security Services, said that security veterans need to accept that the world is always changing and assess the best available tech to best defend the enterprise.
The entire security team needs to be a learning organization to attract talent and keep up with new threats and new defenses, Michaux said. Developing this attitude will let prospective employees know that they are joining a company that is open to innovation and experimentation, not one that's hyper-risk-averse and slow moving.
Connect training and retention
Russo said the next step is to provide high quality training. This helps employees to be successful in day-to-day work and to stay engaged long-term. Companies are falling short on training programs.
"Ninety percent of workers say they need to update their skills at least yearly to work effectively in today's digital environment, but just 20 percent of business leaders are developing their people through experiential learning," Russo said.
Russo said Deloitte uses telecommuting, the gig economy, crowdsourcing, and alternative career and new talent models to tap into a truly global talent pool to attract cyber security experts.
SEE: IT security report finds 97% have suspicious network activity (TechRepublic)
"Leveraging these models provides access to a much broader spectrum of talent than your traditional workforce," he said.
Russo also said that a company's mission and values should align with the professionals it is trying to attract and retain.
Establishing a talent ecosystem--including partnerships with universities, leadership and mentorship programs, and non-traditional incentives such as student loan repayment and certifications--is another way to reach untapped cybersecurity talent.
Working with the next generation
Deloitte recently completed the Deloitte Foundation Cyber Threat Competition, an event that simulates a cyber incident with college students. Students have to gather information and make decisions on how to respond. They also need to package that information into team presentations to the "mock executive team" made up of leaders from Deloitte.
Russo said the competition is designed to better prepare students for moving from academia to the workforce. The competition also gets participants thinking about how security breaches create brand, reputational, and financial operating disruption.
"The talent of today has an innate awareness and acceptance that technology, like cyber, is everywhere, much like the need to protect their information, organizations are trying to protect their business, employee, and customer information," he said.
Russo said that the students he has worked with want greater flexibility, remote work arrangements, enhanced virtual collaboration, and corporate missions that prioritize impact.
How to become a cybersecurity pro: A cheat sheet (TechRepublic) Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
Windows 10 security: A guide for business leaders (TechRepublic Premium)
Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
All the VPN terms you need to know (CNET)
Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)