Getting around the cybersecurity talent shortage

Bob Post, Senior Practice Director, Cyber Risk Advisory, Coalfire

More remote workers mean larger attack surfaces, and as cyber criminals take advantage of the rush to provision a remote workforce, the pain of the cybersecurity professionals’ shortage has become acute. Last year, the ISC(2) Workforce Study identified a shortage of 561,000 cybersecurity professionals in North America. Globally, that number is over 4,000,000 professionals. In April of this year, another ISC(2) survey found that 47 percent of the cybersecurity professionals surveyed were reassigned to other IT support activities while companies were ramping up to deal with the requirements of a newly remote workforce. As we move to “what’s next?”, how do enterprises obtain the needed resources and expertise to better address cyber risk in the new environment?

Virtual Chief Information Security Officer, or vCISO, services have traditionally been a method to alleviate short-term staffing issues. However, if the focus is simply putting a body in a seat, enterprises will find that they are either over-paying for levels of expertise they don’t need or that candidates don’t have the depth or breadth of experience necessary to meet urgent needs. To be successful, the vCISO delivery model must be flexible enough to provide the right resource for the right task at the right time.

As part of our CISO+ service offering, Coalfire has identified three possible use cases. The first use case is where a senior cybersecurity professional is needed to deal with external stakeholders like regulators and customers. Involvement with the board of directors would also be included in this use case. The number of hours for this individual might be small, but the level of expertise and executive polish requirements is likely high.

The second use case is the requirement for security program leadership. This role focuses on developing or refining a cybersecurity program and overseeing its implementation. In this role, coordination with internal stakeholders to develop business-aligned governance structures is key. To support this, policies are developed, the roles of senior leaders in the areas of risk management and incident response are established, and budgeting, development and implementation of distinct cybersecurity projects are fulfilled. This role is more time-consuming but doesn’t necessarily require the same level of expertise and experience as the first use case.

The third use case is where a company needs a mid-level cybersecurity professional to work with internal stakeholders to develop procedures and standards, ensure legal and contractual requirements are met, provide operational and technical-level incident response activities, and handle other day-to-day tasks. In this scenario, the hours and expertise level would be dependent upon the project.

When determining requirements for cybersecurity support, conducting a careful needs analysis will create a full understanding of the role, time required to meet that role, and the level of expertise and experience needed to attain the desired results. Keep in mind that more complex needs may require more than one individual. Having a clear idea of the outcomes you’re looking for, and not just putting a body in a seat, helps ensure success.

Bob Post


Bob Post — Senior Practice Director, Cyber Risk Advisory, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS