We have all read and probably even lived the statistics. ISACA claims there will be a global shortage of two million cyber security professionals by 2019. Every year in the U.S., 40,000 jobs for information security analysts go unfilled. Maybe some of those positions are in your organization.

It’s tough for all of us who want skilled people with the right information security expertise to help us protect our businesses. Those people are in high demand, and unless we have unlimited budgets, we might not be able to attract and retain them—but that doesn’t mean our openings have to go unfilled. Sometimes it just takes some flexibility to build out a good, solid team.

Here are a few ideas that I have put into practice to ensure that my company doesn’t go wanting for the information security professionals we need.

Cultivate knowledge-in-depth just as you do defense-in-depth

As a leader or manager, it’s important to be trusting, to be smart in who you hire and then know that those individuals that you’re hiring are capable of doing even more than what they were originally intended for. There’s a lot of benefit in teaching people new skills through having them train for different job roles.

I make a point to cross-train the people in my own organization. I never want to have just one person filling a role. I’ve got my primary employees for each of the areas of information security; and then I make sure I have a secondary individual who trains up for the role. Maybe this person doesn’t even have experience in that role, but the cross-training provides a great way to get that individual ready to step into the role, temporarily or permanently, if the need arises. Just as we apply defense-in-depth, we should cultivate knowledge-in-depth as well. That way you should be able to avoid having an unfilled opening that impacts your mission.

Passion for a job puts perfection in the work

Steve Jobs is credited with saying, “The only way to do great work is to love what you do.” This is why I never overlook people who have a passion for information security, even if they don’t have all the qualifications I’m looking for. I’m a classic example of that philosophy; I started my career in sales, but my passion for information technology eventually brought me into IT and then information security.

I like to hire from within and it’s always great to have individuals from other business areas that have an interest in security that you wouldn’t otherwise know, and have them come in and talk. If we have an opening and it fits the role and responsibilities and the person’s qualifications, I would love to bring someone in from another area that has that passion. I can teach anybody any of the tools, the techniques, the processes and the programs; I can’t teach passion. If the individual has that fire and likes having a coach rather than a manager, then we can do a lot of great things together. That’s how I am personally, so I look for people that are like that as well.

Even coming from outside the organization, if someone shows the interest and the drive to learn a certain function – if it’s information security or even IT, for that matter – I like to give them a chance if they really want the job. There are people who want the ball, and they’ll take the ball and they’ll go. They will work really hard for you and they will be a good asset to your team.

Location, location, location is important in real estate but not in information security

Information technology provides a lot of flexibility in the way that people work today. The old work philosophy used to be “butts in seats,” where everyone had to be at their desk, in their office, from open to close, every work day. Of course, that no longer applies today for many types of workers. To attract and retain good talent, it’s important to be flexible and know that people want a work/ life balance, and that they need to work from home or other remote locations. That’s why we have VPN. If they need or want to work remotely, that’s okay by me.

I have two individuals on my team that work in other cities. I manage them just as closely as I do the people who work in my office location. Our working relationship is based on trust. What’s more, I don’t want to manage people and things more than I have to. I’ve got enough on my plate; so, what I try to do is hire really good and talented people. I give them some direction, tell them this is the area we want to focus on, and then get out of the way. I let them take care of their jobs and I watch and see how it goes the first few months. But, once that fly wheel gets moving on their end, they feel a sense of ownership—“this is my program, this is my space.”

It doesn’t really matter where people do their work, as long as they get it done. Giving someone the flexibility to work outside the regular office setting can be the difference between hiring a great team member and missing out on a resource you really need and want.


The shortage of information security professionals is projected to continue for years to come. To recruit and retain a good workforce, you have to be flexible and creative in selecting and cross-training people.