It's no secret by now there is a cybersecurity skills gap and organizations are having trouble hiring and retaining certified security talent.
IT security professionals who are available command huge salaries, often beyond what the average channel firm can afford to pay. Kaspersky Labs recently published a report that two out of three managed services providers (MSPs) are hindered by shortages in security staffing.
But channel firms are getting creative in tackling the dearth of skilled security workers -- often by training motivated staff and bringing them up through the company ranks. Officials at some firms say it's not a question of whether it's better to hire people with IT security certifications versus training employees in security skills. In many cases, they have no choice but to do the latter.
"We knew right away if we went out and hired top certification individuals, that would put us out of a price range to do anything in that market," said Ron Culler, CTO of Secure Designs, a Greensboro, N.C., company that provides managed firewall security for small and medium-sized businesses. He added that the Secure Designs' security services "don't necessarily require CSO [chief security officer] credentials."
So Secure Designs built an internal process that starts all new hires in a "provisioning group" where they learn how to deploy firewalls and "why we do it the way we do it," he said. Employees are required to get vendor certifications for the security appliances the company uses. Additionally, employees are taught how to operate the firewalls and what configuration information they need to obtain from customers.
Once the Secure Design employees have their certifications and understand the company's processes, they can transition to operations and support teams and move into tier 1 or beginner support positions, Culler said. The operations group is comprised of staff members who handle day-to-day policy work, such as adding and removing users or redeploying the firewall at another location, he noted.
Most employees spend anywhere from three to six months in the provisioning group before they transition into support. "We're at a good place right now," Culler said. "Because security talent is hard to find, we build our own and hire when we have gaps." Secure Designs also has some staff working on getting their ethical hacker and Certified Information Systems Security Professional certifications right now.
Yet, Culler said security staffing is still somewhat of a challenge because vocational school and four-year degree programs "really aren't that mature yet and there is still an issue trying to get them [designed] to deliver the trained individuals companies need." He said the company has seen individuals coming out security programs at universities with only very basic knowledge, and often the course material is not up to date.
"Unless they get some experience in mentorships or some potential lab work on a research project, they're getting foundational experience but not current, real-world experience in what businesses are dealing with today," he observed. Keeping up with the rapid pace of change in technology in general and security issues is, of course, a big struggle companies have.
"You can give people basics, but too often it doesn't fill all the gaps, so you have people leaving [college] with a degree and minimal skills," he said.
Security staffing: Training with a focus on strategic marketing
Several years ago, Ken May attended CompTIA's ChannelCon conference and noticed almost all the sessions were focused on IT security. A number of MSPs were "freaking out about the changes in the industry with a shift toward security," recalled May, CEO of Swift Chip, an MSP based in Santa Monica, Calif.
He knew the choices were to either hire high-level security people or develop them internally. "We simply didn't have resources to hire someone at a six-figure huge salary, but we still need to be able to sell our business plan and market it."
As a nine-person MSP with two offices, May said he decided it "made a lot more sense, since I'm fairly technical, to build out my own skills with a focus on IT security." So he partnered with security training organization SANS, and, over the past couple of years, has received numerous certifications. Now May is a security mentor and working toward becoming an instructor. His certifications include GIAC GSEC and GIAC GPEN. He received CompTIA's Security+ certification and will probably get Cybersecurity Analyst certified as well.
Barry Coopervice president of marketing and corporate communications, Fishtech Group
Selling his security skills as a brand has "definitely opened a lot of doors," May said. "Just changing the marketing message from generalized IT support to one that's security-focused has been huge across the board."
May's security staffing strategy for obtaining other skilled workers is to train his own employees. Most employees are now working on getting Security+, a more general baseline cybersecurity certification, he said. He is also offering ongoing cybersecurity training from KnowBe4. This way, employees can identify phishing emails and potentially malicious documents, since the strategies criminals use are constantly changing.
Helping employees advance
At Fishtech Group, a cloud security firm based in Kansas City, Mo., the goal is to "always seek the most qualified IT and security talent available," said Barry Cooper, vice president of marketing and corporate communications.
In July, Fishtech partnered with Perch Security, which has a security operations center. Fishtech also focuses on individualized development programs and invests heavily in ongoing training. "Employees desire growth opportunities. Robust internal training programs and direct investment in competency building initiatives draw talent," he said.
One such employee was a high school teacher who applied to be a security instructor, Cooper said. "This person possessed the technical aptitude to consume large amounts of technical information, understand it and pass the required certifications. Our organization invested in this individual's future and they responded and achieved exceptionally well."
Eventually, the employee completed all the company's required competencies to become a director of training services, he said.
How to retain staff you have trained
Of course, all companies worry about losing employees after they have invested time and resources into training them.
"There is always a risk that your investments in training and development of security talent will result in their moving on to other organizations," Cooper said. "The best way to mitigate this threat is to provide clear and measurable paths to success."
Organizations should also deploy a robust performance management program that focuses on retention and employee development with clearly defined pay bands and requirements tied to advancement, he added. "You can spend a ton of money to retain expert talent or develop individualized training and development programs tied to advancement," Cooper said. "The first approach delays the inevitable. The second breeds dedication to your brand."
Like Fishtech does, others said they are also offering opportunities for advancement. Additionally, they provide employees familiar perks such as competitive salaries and benefits, a good work environment and flexible work schedules.
Overall, to meet security staffing needs, channel firms must figure out the approach that is best for their own company.
"What makes sense for the average channel company now is looking at where you're taking your business," Culler said. "Certifications are important because they add credibility, as well as meeting certain compliance requirements."
Read this guide to vendor-specific certifications
Learn about Fishtech's evolution as a security company