We use the internet for day-to-day activities from work to play to shopping under the assumption that security experts are keeping us safe from cybercriminals. But those security experts are already stretched thin — and the situation promises to get worse.

The nonprofit group ISACA predicts that by 2019, there will be a global shortage of 2 million cybersecurity experts. That is a skills gap crisis of epic proportions, and few organizations or companies have any clue what to do about it.

Part of the reason the situation has become so bad is that instead of taking active measures to solve this growing worker shortage, many in the security industry have placed blame elsewhere. Too often, the lack of a talent pipeline is attributed to the failure of universities who supposedly have not done enough to prepare the next generation of cybersecurity experts. Instead of actively seeking measures to enable the development of new workers, companies are more likely to poach top-tier talent from another company, adding a incivility and unending staff changes to the existing talent-shortage problem.

It should also be concerning that companies are using the skills shortage as an excuse to enable lax security strategies. Because they don’t want to do the work of developing their own roster of experts, technology companies will outsource security and bolt vital cybersecurity tools on at the end of product development. Instead of preventing or defending, this approach creates far greater risk for all involved.

A far better approach, and one that my own team has adopted, is to develop security expertise in-house….

[SOURCE]