Noble said he believes training for cyber security has to start early. "Security must become part of early education curriculum and continue throughout one's school career," he said.
But training is not enough, even at the graduate level, since most organizations looking for a CISO want one who can, as Shaw puts it, "hit the ground running on Day One. You don't typically graduate from a college or university program with a lot of experience. I think this area can be addressed through programs that leverage internships where students are graduating with real world experience," he said.
Shaw said some of that is starting to happen, in programs like those at the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue. "Programs that bridge the gap between the technical and other disciplines are great preparation for those who are looking to move into the CISO role," he said.
Noble also cited a number of initiatives that, he said, "both build capacity and professionalize the growing workforce. Some of those include efforts of eSkills UK, the European Committee for Standardization (CEN), the International Organization for Standardization (ISO), the International Telecommunications Union, Telecommunication Development Sector (ITU-D), and the NICE Framework. (ISC)² is also investing its resources in a number of ways," he said.
But for those enterprises that can't wait until the shortage eases, Stroz said a workable alternative is outsourcing to a consultant something his firm does.
Generally, he said, this is a conclusion the leaders of an enterprise reach when they realize the perfect candidate for a CISO in their firm may not be out there. "They learn with a recruiting effort that the profile and qualifications of what they are seeking may not be something they can evaluate," he said.
The obvious risk, he said, is that the discussions of how to find the right candidate," require getting into the vulnerabilities of the company. The discussion can be rather sensitive, since it can involve some very valuable intellectual property."
And, once again, it comes down to that "highly adaptable" person with both technical and business skills. "The goal is to create a risk-management environment that is consistent with your business goals," Stroz said.
"Without that in place, it is not going to work out well."
Sign up for CIO Asia eNewsletters.