The Cyber Security Skills Gap

post thumb
by John Svazic/ on 29 Sep 2020

The Cyber Security Skills Gap

As with most new industries, there is a mis-match between supply and demand. Within the cyber security space, this fact is no different. While there are more and more schools offering programs in cyber security, the truth of the matter is that the demand still outweighs the supply. It will take between 2-4 years for students to work through a program, and even then there won’t be enough graduates to fill the demand. The figures related to the job market aren’t much better.

A Shortfall of Skills

Some estimates believe there will be 3.5 million unfilled jobs globally by 2021, while others say we’re already facing a skills shortage of four million! So to sum it up - there’s a lot of need and demand, but sadly not enough supply. What often happens is that organizations are left to fend for themselves, which often boils down to putting their head in the sand and hoping for the best.

Strategies for Businesses

In my experience, companies who are faced with these facts react in one of three ways:

  1. They budget for a senior security person, and court the appropriately skilled individual(s) to join their organization.
  2. Search for someone in-house to train to take on the new responsibility.
  3. Seek our professional services to supplement existing processes until either option 1. or 2. are achieved.

Some businesses may decide that it is acceptable to just ignore the risk and run without any security program or direction. While this is a valid strategy, it really isn’t a safe one. Eventually every organization will face a situation which warrants some type of security response, and dealing with an event after-the-fact is nearly always the more expensive option.

There are other strategies that could be employed, such as outsourcing cybersecurity concerns to an Managed Security Service Provider (MSSP), or hiring for a specific job or need, such as a penetration test. However even in those cases, you will still want to reach out to a professional organization for assistance.

Supplementing with a Cyber Security Consultant

There are a few advantages of hiring a cyber security consultant if you do not have staff internally to fulfill the role, or if your internal staff are still relatively new to the role. First off, a consultant will be focused on your specific needs, determining what your shortcomings are and provide you with a plan to help shore up your organizations security posture, even after they are done. A good consultant will offer reviews from network infrastructure to policy creation and even help build out a security program. End user awareness training is another great investment that can pay dividends down the line.

Most often organizations are faced with a demand from a prospect or client, normally in the form of a request for your disaster recovery plan, latest penetration test, or even your security program/policy documents. Scrambling to pull these documents together is never a good look. Asking for an extension or a timeline to get these items to the prospect/client is a great first step. The next step is to reach out to someone who can provide you with professional results. The reason is two-fold - by showing your honesty with your prospect, you can help win their trust by not trying to pull a fast one on them. Secondly, by hiring a cyber security consultant to provide the materials, you are showing a commitment to taking your clients' security seriously.


Finding the right professional will take time, and like all employees, you don’t want to rush this. Find someone that will listen to your needs, understand your business, and provide you with a sense of professionalism that will be reflected to your own clients. After all, a consultant of any stripe works for you, and you want their work to reflect your own organization in the best light. Ensuring you find someone with the best fit will definitely be a worthwhile investment in the long term.

Ask for referrals, check for reviews online, and see if you can get an initial consultation with them. Do they have an interest in your business, your current and future needs? Do they have samples of their work that they can share? Do these samples over-share, i.e. are they sharing previous client work that they have done, or is it more generic? I wish I could say that this doesn’t happen, but I’ve seen it with my own eyes.

In short, be sure to do your homework and get a feel for the consultant you want to hire. Like all good investments, research and due diligence will pay off handsomely.

– John

At EliteSec, we would be more than happy to discuss the security concerns you may have at your organization and how we can help to bridge those gaps. Contact us today and we’ll have a candid discussion on what pragmatic solutions we can come up with for your unique needs.

comments powered by Disqus