Circumventing the cyber security skills shortage

By Tom Scholtz, Gartner Inc.

Increasing cyber security threats mean most security and risk management leaders are growing their IT security teams. Hiring qualified and seasoned cybersecurity professionals has become increasingly difficult. Now is the perfect time to think differently and consider a “lean” approach to staffing, which can help alleviate this employment challenge.

Digital business has changed the risk landscape permanently. Even in the unlikely case that there are no resource constraints, scaling up a centralized cyber security function as more and more threats emerge isn’t necessarily the best way to protect organizations.

Those considering a different approach must observe the principles of digital business security:

  • Evolve security teams from being protectors of all infrastructure and data into facilitators of risk-based decisions throughout the organization.
  • Fully integrate security practices into the fabric of the organization, rather than bolting them on and enforcing them through a centralized security function.
  • Share accountability for protecting enterprise resources with business process, application and data owners — no longer is the security team solely responsible.

These principles run contrary to the idea of building an ever-growing security team to cope with the ever-growing list of threats. Realistically, many routine security functions can be performed as well, if not better, by other IT or business functions.

Identify security functions that can be devolved elsewhere

Assess your current security team’s effectiveness with a view to identifying functions or capabilities (such as user awareness communication) that can be devolved elsewhere in the business or IT department. Determine which functions are working well, and therefore should not be disrupted, and which are performing in a suboptimal capacity or perhaps not at all.

The next step is to identify the root causes of security problems. Are current staff overburdened? Do political or cultural barriers between business units exist? Are there scaling issues? Functions that are problematic for such reasons may be candidates for devolution.

If there is no dedicated security organization, which means that both IT and non-IT staff currently perform all security functions, the main problems are likely to be due to a lack of coordination. Such a situation indicates potential for establishing a lean governance function.

Find a new home for poorly performing security functions

Based on your assessments, identify alternative locations in the business or IT department for security functions that are unresourced, underresourced or performing suboptimally. Alternatives should possess the capacity, resources, political clout and business incentives to support the relocated functions. Another possibility is to outsource them to a managed service provider.

Many traditional security practices for endpoints and networks could find a new home with professionals in the IT infrastructure and operations team. Application security functions could relocate to application development and DevOps teams.

This approach can potentially result in the design of a “lean” security organization where a dedicated security leader manages centralized coordination of key governance and operational activities.

Pros and cons of the lean approach

Benefits come with taking a lean approach to digital security. For example, your business can circumvent the skills shortage in the cybersecurity field. Such an approach can also help build a broad understanding of security matters throughout an organization. This is entirely appropriate, given that all employees should understand and be able to manage the security implications of their jobs.

Moving security decisions closer to the business units affected can also help drive more informed decision-making, based on a better understanding of the underlying processes and business impacts.

A key disadvantage, however, could be that fragmenting the security role and security responsibilities across different reporting lines may disrupt coordination, especially in geographically dispersed organizations. Clear direction, strong governance and effective program management should be enough to keep this risk under control and help realize the benefits of a lean security organization.

Tom Scholtz is a research vice president and Gartner Fellow. He is also the chief of research for Security and Risk Management. He advises clients on security management strategies and trends, and is an acknowledged authority on information security governance, security strategy, security organizational dynamics, and security management processes. 

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Gartner, Inc. (NYSE: IT) delivers actionable, objective insight to executives and their teams. Our expert guidance and tools enable faster, smarter decisions and stronger performance on an organization’s mission critical priorities. To learn more, visit

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now