"We believe hands-on skills training and certification is key, and the demand for our courses — both in person and online — seems to bear that out," Pescatore says.
SANS is working to bring together CISOs to support a program called VetSuccess, where returning veterans with cyber security skills are mentored in private industry so they can have successful careers and increase the overall size of the cyber security talent pool.
SANS also has other programs, such as CyberAces, that works with high school and community college students with high aptitude for technical achievement in information security, to discover their talents, develop their passion and determine where their talent can best be nurtured, Pescatore says.
Enterprises and recruiters should look toward engineers and programmers that show an interest in the security field, says Tyler Shields, senior analyst at Forrester Research Inc. "Having the development and debugging background will help them to quickly transition into high level security practitioners," he says.
Another interesting source of security talent will come from the quality assurance (QA) department, Shield says. "QA is already adept at testing and analyzing products and code for bugs and errors," he says. "The primary difference between QA and security assessment is the intent of the attack. In QA they just want to find bugs, while in security they want to find security exploitable bugs."
Regardless of where the talent comes from, organizations will clearly have a need to recruit people with a variety of security-related skills.
"Building a strong cyber defense means building a workforce that has the skills to handle the vast majority of threats to data, like malware or hackers seeking financial information," says Hord Tipton, executive director of the International Information Systems Security Certification Consortium Inc., (ISC)², a global, not-for-profit organization that provides education and certification for information security professionals
"It takes skill and manpower to root out these threats and the proper tools, in the form of secure applications and software code," Tipton says. "We also need well-trained and certified people who are capable of recognizing and mitigating threats. A key component of raising awareness for enterprise users is to know what threats they are facing."
Sign up for CIO Asia eNewsletters.