"CIOs in this position must be able to communicate their beliefs about the level of security that's needed in language everyone can understand. The C-suite, executive boards, managers, entry-level workers all must understand that even if they can't see results of the security strategy immediately, that the strategy is working and the investment is paying off," she says.
Don't ignore education and training
It's not enough to simply invest in hiring security talent, though, there must be adequate resources devoted to keeping that talent on the cutting edge of security and best practices. "Sometimes executives believe that if they've hired a few people, they've solved their vulnerability problem. But it's more complex than that -- landing the talent's only half of the equation. It's about continuing education and training for that talent; defending budgets for conference attendance, educational courses and workshops. What your talent locked down and secured for you last year could be vulnerable this year. It's about more than just salary, it's a continuous investment into the best weapon you've got -- the brains behind the technology," says Weinstein.
Many organizations do understand the need for continuing IT training, especially in the areas of security, compliance and governance skills, but balk when confronted with the costs of such training, according to a survey from Cybrary, a provider of free massive open online courses (MOOCs) for IT and cybersecurity.
The survey asked 405 senior-level technology professionals about their companies' plans for IT training in 2015, according to co-founder Ryan Corey. While 61 percent of respondents said employees in their company need such training and 55 percent predicted an increased need this year and beyond, the survey revealed that most companies plan to spend the same amount of money on IT training for 2015 as they did in 2014.
Less than a quarter of survey respondents allocate 10 percent to 20 percent of their IT budgets to training, while 11 percent said they don't provide any money for IT training because it's too expensive - and that could be a costly mistake.
"The data we've compiled suggests that companies do not provide enough means for IT training, despite a lack of IT talent and ever-increasing technology and cybersecurity challenges," Corey says. "This skills gap is only getting worse, even as demand for these skills accelerates. And most cybersecurity training providers are prohibitively expensive -- even the most forward-thinking business is going to raise an eyebrow at paying $3,000 to $5,000 per class, especially because the skills taught could be obsolete almost immediately!" says Corey.
That's not to say such training isn't worth it, by any means, Corey says. "Cost is the biggest obstacle -- for employees who want and need to learn these skills but whose companies cut the training budget, or who don't offer reimbursement for courses, it's a fantastic option," he says. Cybrary also emphasizes a focus on talent from developing nations that might not have the computing resources or infrastructure available to otherwise study and address security threats.
Sign up for CIO Asia eNewsletters.