For its part, ACSC is working to launch a fellowship program that will connect students with industry players to improve talent development. Harvard, MIT, Boston University, Northeastern University, UMass, and Worcester Polytechnic Institute are all ACSC members.
"The idea is to identify the talent within these universities, and connect them with industry members in form of fellowships that are related to the areas of research these students are pursuing -- which are also areas of interest for the industry folks," Benway says. Once launched, the fellowship program will then feed into boarder collaboration on R&D projects and solutions, he says.
More training and education also are needed for IT pros who've already begun their careers. There are opportunities for people skilled in incident response, for example, or risk professionals, to transition into cybersecurity roles. "People who understand the business world, and processes, and have an aptitude for technology, whether they're actually in the technology organization or not. They can be potential candidates today as well," Stroud says.
But it takes work. "There's a defined lack of training available right now. We want to bring some of those training courses in," Stroud says. "That's one of the reasons why ISACA transitioned into this space. We saw this need, over the complete career and various skill sets, of a security professional's progression."
ISACA administers four certifications -- Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC). Last year, the organization launched the Cybersecurity Nexus (CSX) program, which specifically targets cybersecurity skills development with research, education, certificates and certifications, and industry mentoring programs.
How picky is too picky?
UMass is able to hire student workers and recent graduates in greater numbers than a lot of organizations, Wilson says, but the university still struggles to fill more senior security roles. "The higher level positions, or the more senior level positions, we still have difficulty finding the right talent, just like any other industry."
At the senior level, the qualities that make a strong candidate are a combination of technical acumen and business skills.
"You need technical skills, because you have to figure out what's going on. It's not always easy, because the adversaries are getting better and better. To diagnose, to figure out whether or not you're being attacked, to identify root cause, and to figure out whether any information has been infiltrated -- it's not straightforward," Wilson says. At the same time, candidates need strong business and communication skills. "While you're fighting the fire you need to be communicating with executive management."
Akamai's Ellis views the staffing challenges differently than many of his peers. "There are areas of the country where finding people with a specific seniority level is really challenging," he says, but "that doesn't mean that there's a shortage overall."
Sign up for CIO Asia eNewsletters.