For this reason, Melk believes CIOs should begin to build security capabilities among their existing staff rather than solely seeking external candidates to fill these needs. "We've got to do more than simply increase salaries or benefits," he says. "Businesses need to find ways to fill the gap by nurturing internal talent."
In fact, DICE is working to identify skill commonalities between an array of IT and security positions, and then developing a skills map that can help professionals create a plan for filling the gaps. "The good news is there are a lot of related jobs where folks in various roles could move into a security role," Melk says. "When you look at typical skills for various titles like assistant security engineer, security auditor, IT security project manager, all these skills are consistent with the baseline requirements of roles like network security or intrusion detection," he says.
What stands in the way is a lack of understanding about the exact skills required to move to a particular position, and the quickest way to get there. "We're trying to make the journey as short and as inexpensive as possible," he says. "While going back and getting a degree is a clear path, it's not the only option."
• Don't assume you need to go back to school.
Indeed, while the bar for entry into a security position may be difficult to overcome, never before have so many learning resources existed, says Combs, whether through free online classes, certifications and becoming part of a security community. From SANs, to ISACA, to Information Systems Security Association (ISSA), to ISC2, to the Open Web Application Security Project (OWASP) and beyond, there are many highly active security organizations that offer both training and a community of people that can share ideas.
Getting involved with OWASP, Bellanger says, "is the best vector for getting hired and receiving the best advice for certifications."
Martin-Vegue advises starting by taking a free online class on security fundamentals through a provider like Coursera or EdX, and then determining which sub-field would make the most sense to pursue. "Once you get a good baseline down, find stuff that interests you and gets you excited about information security and begin to specialize," he says.
Melk agrees that online courses are a great option to grow skills, especially when employers don't offer training. "You can take courses on your own without going back and getting a bachelor's or masters in cyber security."
Once you have a sense of which direction you want to head into, certifications are a good choice, as they continue to be highly regarded in the security field, Martin-Vegue says. "People say they don't prove anything about real-world skills, but the truth is, hiring managers do look for them," he says. "Even if you think they're pointless, if you want to get a job, you have to have your certifications."
Sign up for CIO Asia eNewsletters.