The UK government was heavily criticised last November for its response to a parliamentary committee report on the severe skills shortages in critical national infrastructure (CNI). The committee chair claimed MPs remain unconvinced it has “grasped the immediate challenge” of keeping CNI safe from attack. The tense exchange highlights just how serious industry skills shortages have become.

It’s a problem mirrored across the globe. To respond, employers need to think differently about how they hire, and consider outsourcing elements of security that can better be handled externally.

A global epidemic

According to the most recent figures, the global cybersecurity skills shortage now stands at over 2.9m — including nearly 500,000 in North America and 142,000 in EMEA. The number of women represented in the industry remains far too low, at less than a quarter. Although it’s interesting that GCHQ has launched an interesting new initiative. Targeting girls aged 12 to 13, the UK’s intelligence agency is inviting schools to enter teams into a contest to crack codes, crosswords and puzzles and help find a new generation of female codebreakers to help defend against cyber attacks.

In the UK, MPs described the shortage of security skills in CNI as a “cause for alarm” despite recent government efforts to improve the pipeline of talent through other schemes aimed at schoolchildren, like Cyber Discovery and CyberFirst. The issue is that these do little to address immediate shortages — a problem many countries can attest to.

These shortages couldn’t come at a worse time. A perfect storm of increasing complexity in cybersecurity, combined with unprecedented threat levels and new regulatory challenges has sharply increased demand for talent. The bottom line is, without enough skilled practitioners in your team, your organization is dangerously exposed to cyber-related risk. Our Risk:Value 2018 report revealed that the average cost of a breach globally now stands at $1.52 million up 13% from 2017.

Thinking differently

So what can be done? At NTT Security, we’re certainly not insulated from the global skills shortage in the industry, but have been able to hire a steady stream of talent over the years.

If you’re suffering from cybersecurity skills shortages, your hiring strategy may need a rethink. Yes, there’s a need for specialists — in everything from incident response to compliance and threat intelligence — but don’t ignore those from outside the industry. Organizations with a more open hiring policy, not necessarily based on industry experience, may find a huge untapped talent pool. In fact, 87% of cybersecurity professionals didn’t start in the industry, instead coming in from non-technical roles, according to the ISC2

It’s important to also remember that newer entrants to the workforce may expect different things from previous generations. Increasingly, millennials are demanding a better work-life balance, clear career development and even a sense of moral purpose in their roles. Employers need to look beyond traditional practices to understand what’s motivating this new workforce.


Ultimately, however, there will be specialist areas where no amount of creating thinking or innovative recruitment policies make an impact. In those cases, a better option may be to outsource to a professional third party. According to Risk:Value, over a third (37%) of global organizations plan to use a managed security services provider (MSSP), most of them (28%) citing skills challenges as a reason. MSSPs are a more than adequate replacement for most stretched in-house teams. In fact, they’re specialists, devoting more money and resources to security than most CISOs can.  

With an expert partner on board you can finally free up internal staff to focus on providing more value elsewhere. That should be a no-brainer given the volatility of today’s threat landscape.