Attitudes towards security are continuing to harden. Terrorism, geopolitical uncertainty and cyber threats now joining over-regulation in the top four threats to business growth prospects in PwC’s 2018 CEO survey. But after endemic under-investment in skills development for over a decade, surely it is time for a significant change in approach to safeguard business?

Organizations now recognize the need to invest heavily in security, but investment doesn’t come cheap. Day rates for cyber security experts can reach nearly $2,000, which shows industry clearly has a massive problem regarding supply and demand. The escalation in cyber threats has created an unprecedented need for individuals with skills, talent and experience but it is chronic under-investment in training and education that is truly at the heart of the skills shortage problem.

What went wrong?

The ramifications of the massive spike in outsourcing a decade ago are now being felt. When huge swathes of technical experts were brought across from public sector to private sector organizations, a history of training, education and skills development was lost. These individuals are now leaving the industry in swathes and their skills have never been replaced. The result is escalating demand and a pool of resources that continues to shrink by the day.

There are so many flaws in the current model. The industry lacks the ability to sell itself, particularly at inspiring the next generation by demonstrating that IT can be an exciting and financially rewarding career. Over the past decade, training has become almost exclusively product focused, a move that has further weakened the depth of expertise offered by any one individual.

The current approach is no longer sustainable. The only way organizations will be able to address the huge demand for cyber security skills will be to take control and invest – which means shifting away from outsourcing and a reliance upon expensive contractors, towards re-insourcing key services, including security. The onus is now on companies to build up their own expertise in-house.

Investing is essential

At the same time, the IT industry needs to step up and invest in training – true, agnostic training, not product specific, ersatz sales education. If the next generation of cyber security individuals are going to be able to make the right decisions, they need an excellent grounding in all aspects of security – from compliance to standards, including GDPR, PCI and ISO 27001. It is only with in-depth understanding of end to end security issues that individuals will be able to create a robust security infrastructure supported by the right product choices.

From vendor agnostic training to a commitment to inspiring the next generation to join the industry in the first place, everyone demanding a solution to cyber security skills shortages today needs to step up and become part of the solution – not the problem.