Despite increased awareness about the importance and value of effective corporate cybersecurity, as many as 1.5 million cybersecurity jobs may be vacant by 2020. And the workforce is already feeling the effects—many professionals say their organizations already lack enough qualified cybersecurity workers to protect their networks.
This is evidenced in the 2015 (ISC)² Global Information Security Workforce Study, which is based on a survey of 13,930 qualified information security professionals conducted in late 2014.
The study found that 62 percent of respondents felt that their companies did not have enough information security professionals. This is an 8 percent increase from 2013, when only 56 percent indicated this same shortfall in their organizations, according to the report, which was compiled by Frost & Sullivan.
Even more troublesome, however, is that over the course of the next year, only 52 percent of respondents expected the number of information security professionals at their organization to increase, while 42 percent said the number would stay the same, and 3 percent said they expected the number to decrease.
Reasons for this stagnant hiring include business conditions that can’t support additional personnel at this time (57 percent), difficulty finding qualified personnel (37 percent), and insufficient understanding of the IT security requirements by leadership (45 percent).
These numerical findings are backed up by numerous anecdotal stories that come from executives and experts alike.
“I don’t know one company that has all of the talent it needs,” says Mark Weatherford, a principal at The Chertoff Group. “Everybody I talk to has vacancies that they would love to fill…the shortage of talent is real.”
Driving this shortage are a variety of factors creating what the report calls a “perfect storm,” leaving in its wake a widening gap between the number of needed security professionals and the actual number of candidates available for hire.
One major driver is the rising sophistication of cyberthreats designed not just to accomplish a single goal, but to be “persistent and effective over an extended period of time,” the report explains. “Consequently, identifying compromises and qualifying their severity requires constant diligence and deep pockets of expertise. An advanced degree of talent, knowledge, and time is also required to thoroughly root out discovered compromises.”
In other words, it’s “harder to be good in the security business,” explains Weatherford, former deputy undersecretary for cybersecurity for the U.S. Department of Homeland Security. “When I grew up, I was a generalist. I could do a little bit of everything. Today, that little bit of everything is just too much—there’s too much for anybody to learn in the short term.”
This leads to another driver identified by the report, that as more security technologies are created and introduced, more workers are required to monitor and respond to them. But “expertise in effectively and efficiently managing a growing stable of security technologies does not materialize overnight; investment in formal and on-the-job training is required,” according to the report. “Having a portion of the security staff active in some form of training and education, thus taken off-line, at any point in time is increasingly a common necessity.”
While there’s no quick fix for the problem, several strategies might help, starting with attracting more young talent to the field. The average age of cyber IT professionals is 42, says (ISC)² Executive Director David Shearer.
“The workforce that we have is getting older. There aren’t enough people to do the work, so it’s exacerbated because people are burning out,” he explains. “If you don’t have enough people on the staff to rotate the workload, we’re running these folks into the ground and the cavalry is not coming over the hill.”
To create that cavalry, Weatherford suggests making cybersecurity training a national priority and creating a sense of urgency that President Barack Obama and his successor can get behind to create national programs focused on cybersecurity. “While the administration has been pretty forward leaning on creating programs through different agencies…[cybersecurity] hasn’t risen to the level of urgency that I think it should,” Weatherford says.
For instance, the federal government already has a few programs focused on cybersecurity, including Scholarship for Service. The program provides scholarships for students at participating institutions in exchange for their work in government service after graduation.
“If you’re in this program, you go to work in the government for two years, you get some kind of real-world experience, you get to satisfy your patriotic jones by working for the government, and it’s good for the nation and it’s good for you,” Weatherford explains.
However, Weatherford says the federal government can go further by creating a clear plan that outlines how many professionals need to be trained in a given amount of time to combat the workforce shortage. “This is the kind of issue that demands that level of attention by the federal government, and that can flow down through the state governments and into the private sector,” he adds.
When it comes to private sector action, Weatherford says companies can get involved by sponsoring learning opportunities and clubs at local schools to attract young people to the industry.
Companies could provide an annual stipend of $5,000 to $10,000 to schools to support clubs or purchase computers—an amount Weatherford says many Fortune 500 companies routinely spend on lunch in a day.
“If you do this in your community, kids are going to grow up and they’re going to be looking for jobs. These are cherry picks for you,” he explains. “They’re going to grow up and they’re going to know you all their life, and you’re going to have first dibs on them when they get ready to go look for a job.”
Recruiting younger talent into the industry can also help companies with their bottom line, given that experienced professionals have seen a rise in salaries from an average of $98,605 in 2011 to an average of $103,117 in 2015 for (ISC)² members globally, according to the report. “That’s the reality of our business; it is true economic supply and demand,” Weatherford says. “Whenever the demand outstrips the supply, prices go up.”
Additionally, private industry and the federal government can use initiatives to tap into underprivileged and minority communities that may have talented individuals who might not know about the cyber career opportunities available to them.
One such program is the Air Force Association’s CyberPatriot, a National Youth Education Program that encourages middle and high school students to pursue careers in cybersecurity or other science, technology, engineering, and mathematics disciplines. CyberPatriot’s annual competition—the National Youth Cyber Defense Competition—puts teams of students in the position of newly hired IT professionals tasked with managing the network of a small company.
Through various rounds of the competition, teams find cyber vulnerabilities within the network and must harden their system while maintaining critical services. Teams compete for top placement in their state and region, with the top teams in the nation winning a trip to Washington, D.C., for a national competition and a chance to win scholarship money.
Facebook is a major corporate sponsor of the program, and, in a presentation at the RSA Conference, Director of Security Operations Jennifer Henley said that 57 percent of students who participated said that they understood more about the career opportunities in cybersecurity and how to pursue them. Students were also more likely to want to pursue a career in cybersecurity after competing in the national competition, Henley added.
CyberPatriot is also helping attract young women to cybersecurity—two of last year’s top three teams were 50 percent female, according to Henley. “That’s where we need to be…we don’t want people thinking this is a field that doesn’t welcome or support women in it,” she explained. “We want everyone to feel welcome. Or else we’re not going to be able to fill all those jobs.”
And Weatherford agrees that more needs to be done to introduce women and girls to cybersecurity earlier in life to attract them to the field. “We need to not just toss it out there and say we want more women and minorities—we need to target women and minorities,” Weatherford says. “We need to be cultivating them early in their lives, and maybe not just for cybersecurity, but to get them into science and technology areas where we as a nation really need help.”
Using these various tactics, the government and the private sector can both add diversity to the industry and help ameliorate the future workforce shortage. “We know that within the profession today, there are underrepresented minorities. We have to find a way to reach out to those communities,” Shearer says. “It’s the socially right thing to do, and…it can be part of the solution. We have to find ways of attracting all of those underrepresented communities to the table.”