Cost implications in upskilling for Cyber Security

Is there a shortage of InfoSec skills in the world? According to ESG Research, 46% of organizations say they have a “problematic shortage” of cybersecurity skills in 2016, a rise from 28% the previous year. And in the 2015 (ISC) Global Information Security Workforce Study, 62% of the survey respondents stated that their organizations have too few information security professionals, up from 56% the previous year. With new information security vulnerabilities appearing with every sunrise, there is every bet that this problem isn’t going to be solved any time soon. As the President of NIC, a managed service provider in Los Angeles, I have talked to many CIOs around the States and the one thing that stresses their hearts out is when their talented IT security employees are moving on to their competition due to the enormous demand that exists today.

And as new technologies evolve like cloud, mobile, IoT, big data, SDN and NFV among others, organizations are playing catchup in upskilling engineers to be able to handle the security challenges that come with them. There is a significant cost element to training an InfoSec personnel and while companies are not shying away from expanding their training budgets to equip their employees, there is always the fear that they will move on to other organizations which can offer them advancement or better remuneration and benefits. I don’t believe that salary is the only driver towards retaining employees, but given the InfoSec situation, corporations will have to pay a premium to keep this category of personnel.

What InfoSec skills are in short supply?

In their 2014 Cybersecurity Professional Trends study, SANS Institute listed the top five skills as firstly incident handling and response, followed by cloud computing/virtualization, analytics and intelligence, audit and compliance and lastly intrusion detection. While the 2016 IT Skills and Salary Survey conducted by Global Knowledge, 5 out of the top 10 most paying certifications were from InfoSec industry including ISACA’s CRISC, CISM, CISA and CISSP as well as Certified Ethical Hacking from the EC-Council.

What are the costs involved in InfoSec training?

A top course like CRISC can cost upwards of $600 on an e-learning platform and $2000 in a classroom based setup excluding exam fees which can range from $400 to $600 depending on ISACA membership status. What this means is that an individual would find it challenging to raise such an amount for themselves just for one course. So employees will most likely want to the employer to handle these costs and they benefit from the skills. This puts the employers on a difficult path as they will choose to either invest in their employees who will leave for greener pastures or bring in already certified employees who will demand a pretty penny for their services.

What about outsourcing the skills?

This is an easier way of managing the skills gap. An organization will choose a managed service provider to provide network security as well as information security skills, and it will be up to this third party to hire or contract the skills and bill this client (and others sharing the same skilled resources). While this can be advantageous to the organization from a cost perspective, lack of skilled staff means that you take the managed service provider at his word. This at times can be a challenge if a breach takes place and the provider is at pains to explain to you what happened or you don’t have the capability to understand.

Other hidden costs

To ensure that your employees are properly equipped to handle security challenges, it is important that a security lab be put in place where they can sharpen their skills as well as test their InfoSec tools in controlled environments. Such a lab can be hosted in the organization’s data center or rented from a managed service provider. Whatever the case, this is an additional cost which the organization has to bear. And I assure you that it can be significant if the lab is to replicate your real environment.

In addition, certifications from the likes of ISACA are not everlasting and require renewals plus annual membership fees. An employee will prefer that the employer who paid for the certification handle these additional fees as well. For the employer, though these are additional costs, there is a benefit in that it plays a role in employee retention.

Way forward

Consulting an expert in information security qualifications can give you the right guidance on which InfoSec qualifications are of benefit to your organization. NIC has a wealth of experience in cyber security and our experts are at hand to support you. Contact us today and take advantage of our IT professionals who stay up-to-date on the latest technologies and are more than happy to share their knowledge with you.

Providing solutions to fit your organization’s IT needs

IT Partner