While stories of sophisticated and targeted cyber-attacks continue to dominate the headlines, a more pervasive cybersecurity threat has been quietly bubbling up. It’s one that presents as much of a threat to our society as any hacker, but you may not even know it exists. It’s the cybersecurity talent gap crisis, and it’s impacting businesses, universities, and government entities of all shapes and sizes.
Just how real is the crisis? According to the Cybersecurity Jobs Report, global demand is anticipated to reach 3.5 million unfilled cybersecurity positions worldwide by 2021 and cybersecurity unemployment currently sits at zero percent.
Research and strategy firm Enterprise Service Group (ESG) has also built a rather stark picture of the cybersecurity skills landscape. ESG’s annual global survey of IT decision makers found in 2014 that 23% of its respondents had a problematic shortage of cybersecurity talent. By 2016, this number had jumped dramatically to 46%. By 2018, 51% of respondents said they were struggling with filling open positions.
Cybercriminals, on the other hand, aren’t complaining. An increased workload put on existing cybersecurity staff, and the reality of having to hire and train junior personnel rather than experienced professionals, mean that security teams spend the majority of their time firefighting and little time ramping up for data breaches. Cybercriminals are capitalizing on this predicament by finding new ways to commit cyber fraud at an alarming rate.
How Did We Get Here?
There is little doubt that the rise in cybersecurity threats has greatly helped to create a gap in security skills and professionals. But demand is only part of the skills gap story. The bigger problem for many organizations seeking to hire cybersecurity talent is that supply cannot keep pace.
While specialized security experts quickly get snatched up by large corporations, other businesses—such as hospitals, manufacturers and retail shops—need the expertise too. These smaller enterprises can find themselves more frequent targets of hackers because of their lack of appropriate staff, and because they often act as conduits to larger targets: major partners and lots of customers.
Many security experts believe that not only have businesses underestimated the scale of the problem cybercrime poses and the speed at which the skills gap crisis has been growing, they have also failed to properly communicate the significant need for cybersecurity professionals to policy makers, educational institutions, and the public at large. (Thus, why you may be unaware of the problem.)
Additionally, instead of looking beyond traditional IT career paths to recruit from a wider talent pool, organizations are failing to see cybersecurity as its own area of the business. Cybersecurity is yet to be identified as distinct from IT and tasked with communicating and strategizing all the way to the executive level.
Closing the Gap
Solving the skills gap crisis requires a different way of thinking, for organizations and talent. Cultivating a security mindset is priority.
The good news is that many hiring managers are beginning to understand that the workforce gap needs to be a top concern, above such things as lack of adequate budget and lack of time to recruit. Cybersecurity pros as well are reporting stronger job satisfaction, expect budgets to increase, and are focused on sharpening their skills, according to the latest (ISC2) Cybersecurity Workforce Study. From an academic perspective, more and more universities are recognizing the need to better prepare their students with the latest and best cybersecurity training.
Changing the culture takes time, but organizations need to broaden their idea of what a candidate looks like and consider a range of potential.
- Women: Only a small percentage of women makeup the cybersecurity workforce. More women need to be encouraged to seek skills and positions in the field, and existing bias in hiring practices must be alleviated.
- Ex-military: Another source of good talent is former military service personnel. Much of the situational, in-the-trenches experience of veterans translates well to the battlefield of cybersecurity.
- Soft skills vs. technical skills: About one third of all cybersecurity professionals came to the field from a background outside of information technology. While many candidates may not feel qualified for a position for lack of technical skills, most hiring managers place a higher priority on communications and analytical skills rather than technical expertise.