Privacy Canada is community-supported. We may earn a commission when make a purchase through one of our links. Learn more.
Cybersecurity Skills Gap
Cybersecurity is one of the most crucial aspects of information technology.
As most people’s lives become increasingly integrated with their online activities and more organizations’ businesses become eCommerce-oriented, the skills required to secure these host of corporate secrets and personally identifiable information (PII) has become highly in demand.
Unfortunately, for any enterprise worth its salt, the question isn’t “if”, but rather “when” an attempt will be made by criminals to breach its information system in order to get their hands on the crown jewels residing in them.
Consequently, cybersecurity has become top-of-mind for companies seeking to safeguard themselves against the huge cost of data theft.
However, the availability – or lack thereof – of skilled cybersecurity professionals is one of the most challenging problems facing business enterprises today, for the simple reason that there aren’t enough people capable of filling those roles.
A non-profit security organization, (ISC)², which is the largest association of certified cybersecurity professionals worldwide, reports that the global cybersecurity workforce currently stands around 2.8 million.
But this figure is anemic compared with the worldwide demand of 4.07 million; thereby requiring an increase of 145% of trained cybersecurity professionals to fill the shortfall! Perhaps even more disheartening is the fact that unfilled positions experienced an increase of 2.93 million from the previous year of reporting.
ISC² reports that for North America, the gap increased by 561,000, while Asia Pacific (APAC) experienced a whooping shortfall of 2.6 million.
Europe equally faced dire news, witnessing more than a 100% spike over the same period of time, from 142,000 to 291,000.
ISC² compiled this figure by conducting interviews with 3,200 security professionals worldwide for its most recent Cybersecurity Workforce Study report.
This article will look at the cybersecurity skills shortfall through the prisms of education, training, old-fashioned supply and demand, and possible remedies for the problem.
Cybersecurity skill shortage: Demand overwhelms supply
- It is predicted that by 2021, 3.5 million cybersecurity roles will remain unfilled
- The stat above represents a whooping 1 million increase from 2014
- 350%, that is the rate of unfilled job growth over an eight-year tracking period
- 40% of executives in security say skill shortage is the cause of turnover and high rates of burnout
- Millennials only expressed a 9% desire to pursue a career in cybersecurity
- 74% of those interviewed in a survey responded that a shortage of cyber skills had impacted their organization.
Hackers and cybersecurity criminals are getting increasingly sophisticated and even seemingly fortified companies like banks and financial institutions have had their defenses breached. In addition, some of these are state-sponsored actors who have the resources and wherewithal to mount sustained attacks with a steady supply of hackers orchestrated to do their bidding.
As cyberattacks have grown in sophistication and brazenness, it is imperative that countries develop a pipeline of trained cyber professionals to counter these hackers. However, experienced and skilled cybersecurity staff don’t grow on trees.
Frankly, the pipeline to rapidly supply this insufficient number of positions in the cyber field is grossly inadequate. Moreover, these positions take longer to fill compared to other industries.
Unfortunately, there are no silver bullets or quick fixes to this problem. Jon Oltsik, who holds the position of senior principal analyst at IT research firm Enterprise Strategy Group, sheds more light on the problem by underscoring the difficulty of working in the cyber field.
This degree of difficulty is tied to the constantly evolving and changing nature of the industry: “I always say that cybersecurity professionals are like physicians, in that they have to spend ample time studying the latest research and threat intelligence,” says Oltsik.
The trade association for technology staffing and services companies, TechServe Alliance, states that the crux of the matter is how to successfully scale and ramp up technical talent fast enough to close this Grand Canyon chasm in talent shortfall. However, the current pace of growth is abject due to this critical shortage of talent development.
A survey from the Center for Strategic and International Studies discovered that IT professionals considered technical skills such as secure software development, attack mitigation, and intrusion detection as the most difficult competencies to find among today’s crop of security staff.
This skill challenge is most acute for mission-critical roles. A survey of California employers and post-secondary institutions (which encompasses Silicon Valley) discovered that as much as a third of organizations lack crucial roles on vulnerability assessment and as much as half employers are experiencing deficiencies for cyber defense candidates
Cybersecurity Skills Gap: Myth or Reality?
- Less than 1 in 4 candidates are qualified for the cybersecurity positions they apply for
- Cybersecurity professionals possibly earn $90,000 or more, yet vacancies still persist
- 314,000 cybersecurity jobs were posted in the United States between 2017 and 2018
- 82% of respondents in a survey expressed that there is a shortage of skills in cybersecurity
- 3 out of 4 respondents suggest the government is taking inadequate measures to bridge the skills gap
- 60% is the number of respondents that say their organization outsources some cybersecurity work
- 53% of companies between 2018 – 2019 said cybersecurity skills shortage was problematic
According to Oltsik, “There is more demand for talent, and not enough talent out there.”
A security advisor for ZeroNorth and president of Spinnaker Security LLC, United States Navy (Retired) Rear Admiral, Mike Brown, says “I think there is great awareness now about the shortage of cybersecurity professionals.”
However, there has been a whispering campaign that suggests the skill gap in cybersecurity is nothing but a myth. Their assertion of this school of thought is that companies that are unable to recruit fail to do so for the simple reason that they are unwilling to pay the prevailing market price for the available professionals.
Another fact, as highlighted by Karla Reffold, who is the Managing Director of Nicoll Curtin, a FinTech recruitment company is that a significant number of those who sincerely desire to enter the industry struggle, even after training.
To compound the situation, Refflold said that most of these candidates are at a loss on how to effectively fill out applications and make themselves stand out. As a result, companies are even finding it challenging to fill entry-level positions in cybersecurity.
This, according to Reffold, is responsible for the losing proposition employers find themselves.
Employers have so far been chronically unable to solve this problem, often compounding the situation instead. After getting burnt by the cost of so many bad hires and employee churn, most organizations have become skittish, demanding perfectly qualified candidates. If they don’t check all the correct boxes, their chances of getting hired are doomed.
“Employers are demanding more of job candidates than ever before. They want prospective workers to be able to fill a role right away, without any training or ramp-up time. To get a job, you have to have that job already,” says Peter Cappelli of Wharton
In addition, while entry-level positions are routinely requested, most of the cybersecurity roles that go unfilled are for senior positions.
For those trying to question and debunk the reality of the cybersecurity skills gap, they might want to consider the report in Monster, the online job site, which reported that cybersecurity professionals have a 0% employment rate. That is 0% as in zero, zilch, nada, nothing!
This is because the spate of high-profile hacks into corporate networks and financial institutions during the past decade has turned cybersecurity professionals into must-hires. In a related statement on the matter, Steve Morgan the Cybersecurity Ventures CEO, “Anyone with cybersecurity experience can find immediate employment.”
Morgan, however, tempered his statement by emphasizing that while the 0% unemployment is still valid, that while there might be a few members of the cyber workforce who might be in transition: in-between jobs, resigned their erstwhile job to pursue other opportunities, or perhaps taking a break.
There isn’t any need to mince words: cybersecurity talent shortfall isn’t a mirage and it is hurting businesses. Based on empirical data from reliable sources, the skills gap is real and most acute in technology sectors such as cybersecurity that are constantly and rapidly changing.
Cybersecurity Skills Gap: A clear and present danger
- The cost of cybercrimes have reached $445 billion annually
- The average cost of each cybersecurity breach is estimated at about $3.92 million
- 270,000 incidences of cybercrimes such as credit card fraud and identity theft reported
- A year-to-year assessment between 2018 and 2019 shows an increase of 17% in cyber breaches
- Web and supply chain attacks on network infrastructure rose by 75% and 78% respectively
- In the past year, 577 data breaches which ultimately exposed 15.3 million records
IBM’s 2019 Cost of Data Breach Report, which “explores financial impacts and security measures that can help your organization mitigate costs” states the average total cost of a data breach is approximately $3.92 million.
The study, conducted in conjunction with Ponemon Institute and IBM Security analyzes up to 507 organizations across 17 industries and through 16 geographic regions discovered that the United States bears the biggest brunt of cyber breaches with $8.19 million.
It records that the average size of records compromised in data breaches is 25,575 records, with the healthcare industry the victim of the most expensive at $6.45 million.
In terms of prognostication, by 2021, Cybersecurity Ventures predicts that there would be an estimated 3.5 million unfilled positions in the cybersecurity field. The gap in the United States, according to CyberSeek, an initiative funded by the National Initiative for Cybersecurity Education (NICE), is estimated at 314,000 cybersecurity professions.
Cyberseek, a visual mapping tool that graphically displays the supply and demand in the cybersecurity job market shows that the present ratio of cybersecurity professionals to job openings is 2.0:, and then juxtapose that with the national average for all jobs is 5.8 (presumably, this data was taken during the booming economy before the coronavirus decimated everything).
Not surprisingly, the most available jobs in the cybersecurity industry are in Maintain and Operate areas. These areas, as defined by the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NICE Framework), entails doing the following: “provide the support, administration and maintenance necessary to ensure effective and efficient information technology (IT) system performance and security.”
Following closely behind are roles that provide Securely Provisions capabilities, conceived as roles that can “conceptualize, design, procure and/or build secure IT systems.”
With almost unanimity, reports on cybersecurity show that the skills gap is accelerating in a downward spiral. A survey from both Enterprise Strategy Group (ESG) , which is an independent industry analyst firm and Information Systems Security Association (ISSA) asserts that for not one or two, but in fact three years in a row, the skill shortage has been growing worse.
According to the report, this shortfall is affecting 74% of businesses adversely. The most adversely affected by the skills shortage is cloud security at 33%, application security comes next at 32%, and subsequently security analysis and investigations at 30%.
Cyber risks present a constant moving target, which makes it so difficult to keep up with the fast-moving, evolving nature of threats. While 93% of respondents agreed to keep their companies safe and secure, they had to maintain and update their skills. However, the average cybersecurity professional hardly has time to take avail themselves of the arsenal of tools available to combat cybercrimes.
This is because 47% responded that the pressure placed on them by the shortage of cybersecurity professionals to help shoulder the workload created an impediment to fully utilize or learn the technologies tools provided for them. In addition, 66% assert they find it challenging to keep up with the demands of their jobs due to the changing nature of cybersecurity skills required for their role.
Cybersecurity Education and Training
- 65% of respondents say their academic institutions didn’t provide course for cybersecurity
- Just 32% of companies provide cybersecurity training
- An abysmal 3% of bachelor degree graduates from the United States have cybersecurity skills
- Only 28 states in the US have computer science based standards.
- Only 62% of cybersecurity advocated or just mentioned as a career choice
- The Cyber Innovation Center in the United States anticipates to prepare as many as 50,000 teachers along with 10 million students through K-12 schooling
The lack of trained security staff hampers the ability of companies to develop adequate security processes and establish the right controls to thwart cyber attacks.
Historically, colleges and institutions of higher learning used to be the pipeline from which industry and the market usually looked to fill the critical skill gaps in a field.
But for years, cybersecurity wasn’t on the radar of many universities, with little or no courses focused on it. A survey from 2016 conducted by Raytheon from 12 countries discovered that 62% of students had never had cybersecurity mentioned to them as a career choice by teachers, while almost 70% weren’t provided any classes necessary to pursue a career in the field.
Therefore, businesses can’t afford to sit on their hands and wait for universities to play catch up.
The Chronicle of Higher Education, reputed to be the unofficial US higher education paper of record, reached the following conclusion after scrutinizing Texas A&M’s commendable endeavor to provide courses in cybersecurity: “Work-force demand can lead some institutions to teach students the skills needed for today’s entry-level jobs. But those tools may well be obsolete five or ten years from now.”
This highlights the conundrum faced by institutions of higher learning when trying to keep pace with fast-changing industries.
The article reports that the challenge these institutions face is that while it is worthwhile for these college curriculums to respond to change quickly; however, adequate time is needed to ensure their quality. As a result, the dilemma is to find a way to incorporate both.
Cybersecurity changes rapidly with the fast-moving pace of innovation in information technology. So, while it might be a noble cause, the specter of constantly updating curriculum to mirror cybersecurity needs might not be feasible for these colleges.
Banks and financial institutions, more than other enterprises, are built on earning the trust of their customers. The Boston Consulting Group research reports that firms in the financial services industry face up to 300 times more cyberattacks each year compared to other companies in other industries. As a result, they are perhaps the industry with the most desperate need for qualified cyber personnel.
To bridge the chasm between supply and demand, those in the private sector have been taking measures to ameliorate the situation. For instance, the banking industry has started courting erstwhile adversaries in hackers, and “embracing a more casual, hacker-friendly image” when recruiting candidates at hacker-based events and symposiums.
By openly courting and hiring hackers, banks are blazing a contrarian route by trying to position themselves as the destination of choice for those who want a career in cybersecurity.
As a result, the executives and headhunters from these financial institutions are visiting events such as Black Hat to scout for talent, ditching their usual buttoned-down dark suits, and dressing down to the casual level of their would-be-hires.
But this approach isn’t isolated only to the banking industry. IBM Security’s academic outreach leader, Heather Ricciuto said that “(IBM is) looking for people with non-traditional backgrounds for security. We have a number of people with backgrounds in music, political science that you might think are unrelated to tech — but they bring a whole different perspective to the table.”
Possible Solutions to the cybersecurity skills shortage
The cybersecurity skills gap is a daunting challenge. The United States alone has a talent shortfall of 500,000; but this represents a vast financial opportunity that is far too enticing to remain neglected for very long.
“A better approach demands a shift in perspective,” says Andrei Bezdedeanu, the Vice President of Engineering at ZeroNorth, a platform which touts itself as providing risk-based vulnerability orchestration across both the application and infrastructure level.
One solution, according to Brown, apart from mapping out a coherent strategy to attract people to participate in cybersecurity, is to use “automation orchestration of technology” apparently to abstract away some of the functions. Thereby allowing people to “focus on what they are good at—critical thinking—and machines can do that which they are good at—repetition and scale.”
Touching on this note, while journalist Mike Perkowski agrees that organizations cannot get by on their current staffing levels, he nonetheless insists that attempting to solve this gargantuan problem through traditional means is a fool’s errand since depending on human capital is a losing proposition for the simple fact that it doesn’t scale.
“But hiring more people is not a scalable solution, not when more than a million new malware samples surface every single day and new or improved tactics are being leveraged by the bad guys,” Perkowski says.
Just a decade ago, most companies’ primary defenses consisted of virus and malware software protection. Even when an organization moves to embrace cybersecurity, the tasks were left to a couple of IT staff who most often than not lacked specialty or specialized knowledge in the field.
But what could suffice for those times — because hacking was mostly perpetrated by amateurs doing it for fun who only wanted bragging rights — is no longer tenable.
Now, data has become so valuable, and the stakes of a breach so catastrophic that cybersecurity has now become a mission-critical function that keeps top management awake at night.
The stakeholders in cybersecurity need to fashion a way forward because of the magnitude of the problem.