This month’s newsletter is Part One of a Two-Part series on the shortage of cybersecurity professionals. Part One will shed some light on the problem, Part Two, which will run in our August newsletter, will look at some of the solutions.
We’ve heard and read the reports for years – we do not have enough cybersecurity workers – either in the U.S. or internationally. According to the latest report by the World Economic Forum (WEF), the world is lacking 3 million cybersecurity professionals. In the U.S., depending on your source, the number is anywhere from 400,000 to more than 700,000 positions that need to be filled.
While there appears to be many reasons for the shortfall, a recent report concludes that the skills shortage and the lack of enough training for existing cybersecurity staff can have a big influence on a company's overall cybersecurity health and their ability to retain these critical workers.
According to Jon Oltsik, senior principal analyst at the Enterprise Strategy Group (ESG) and the author of the report, "There is a cumulative impact here: You don't have enough people, the people you have don't have the right skills and the people that you have aren't getting the right training." While 96% of respondents believe that cybersecurity professionals must keep up their skills development, only 38% said their organization is providing them with an appropriate level of training to keep up with business and IT risks. This should be a concern for business, IT and cybersecurity executives, Oltsik said. For CISOs, it should be a priority to get their cybersecurity staff trained and keep them up to speed, because failure to do so will increase the organization's risk, he added.
One mistake companies often make in hiring is overlooking applicants with high potential in favor of those with experience.
According to some, including noted blogger Dylan Berger, years on the job and leading certifications are ideal, but the current cybersecurity job market is too small and competitive. Businesses should expand their search to include less-experienced workers who can grow into top talent. Looking for recruits with specific cybersecurity degrees and certifications will narrow the field too much. Broadening horizons to include security-adjacent experience and education will help companies find talented candidates that traditional searches may miss. According to Berger there are many readily available workers to fill businesses’ cybersecurity needs if they know where to look. Computer science is one of the top ten most valuable college majors right now, so companies can expect many young, promising graduates to enter the workforce soon. They may lack on-the-job experience, but they can gain that under current staff.
Although the United States – in business and the federal government – added 250,000 people to the cybersecurity payroll between 2020 and 2021, the need for highly skilled workers was still up 30 percent in 2021. According to Ryan LaSalle of Accenture Security, “there are more jobs out there than there are people qualified to take them.”
While the traditional route to a career in cyber security has come through those studying computer science or working in other tech fields, executives like LaSalle are taking a more creative approach in finding people to augment this critical workforce: “We look really hard at upskilling and reskilling. We love anthropologists, we love social scientists, we love criminologists.”
Similarly, businesses should recognize the importance of ongoing learning within the workplace. When outside talent is hard to find, it may be better to foster from within. Companies can do that by providing career development opportunities or paying for workers to get new certifications and education. According to blogger Berger, this on-the-job training will help grow less experienced employees into experts. It will also help keep current workers satisfied in their positions, preventing turnover. Many surveys indicate that a lack of growth opportunities accounts for 40% of security professionals leaving their jobs, more than any other category.
A huge challenge for cybersecurity professionals is how rapidly technology changes, said Candy Alexander, member of the Information Systems Security Association (ISSA) International Board of Directors and chief architect of the ISSA Cyber Security Career Lifecycle. Cybersecurity professionals must try to think ahead to learn what the risks are when using these technologies in the business, she added. The problem is made worse because, for modern companies, cybersecurity investments typically center on technology instead of training cybersecurity professionals, Alexander said. Instead, companies should be focusing on the skills issue, she added. We need to reinvest in our people to really get to the solutions in regards to mitigating the risks around our organization," she said. "If you want to keep your cybersecurity staff, you need to invest in them. You need to provide them a little bit of nurturing through training, and that doesn't necessarily mean classroom and in-person training."
One of the challenges is that businesses still use traditional approaches, such as instructor-led training, she said. Information security or cybersecurity professionals will get more benefits from what Alexander called "just-in-time learning." In other words, going after very specific training as needed. I can't go and spend a week in the classroom to learn about the latest networking technology. I just need to learn what I need to mitigate a certain risk," she explained.
If so many bodies are needed to fill seats in cybersecurity roles, then what’s the holdup on companies and universities preparing future professionals to take these jobs? There’s no one answer to that question, says Will Markow, vice president of applied research–talent at Emsi Burning Glass, in a recent special education issue of Fortune. It appears there are a number of dynamics making it difficult to build a talent pipeline for cybersecurity jobs.
Even if you have an undergraduate or graduate degree in cybersecurity, computer science, or a related field, that may not be enough to land certain jobs in the industry. “Employers have been very slow to reduce either credential requirements or education requirements for cybersecurity jobs, despite the hiring difficulty that they have,” Markow says. “We really haven’t seen any noticeable shift in the share of cybersecurity openings that are available to workers who don’t have either a bachelor’s degree or at least three to five years of prior work experience.”
The situation in the government sector is no better and some call it “dire.” In 2021, according to published reports, there was a shortage of about 36,000 public-sector cyber jobs across federal, state and local governments. Some of the issues cited with the government’s cyber hiring includes pay that’s not competitive with the private sector, inflexibility that turns off younger workers, and a lengthy and arcane hiring process that is frustrating and difficult to navigate.
Bottom line – companies need to start to expand the base of available talent and the way they look at training and preparation for the new roles that cybersecurity professionals find themselves facing.
As we’ll see in Part Two of this series, although the current shortage of skilled cybersecurity professionals is of growing concern for companies, educators, and government agencies, there are new initiatives among these exact groups that are seeking to find and diversify the talent pool. These strategic alliances will increase the number of available and skilled workers, while also making this field one of increasing diversity, which may draw even more people from a variety of sectors.
CYRIN can help. CYRIN’s online interactive virtual training platform is designed to be “always available” 24/7 to improve the skills of IT, engineering and cybersecurity professionals and students. CYRIN contains more than 60 interactive labs, courses, exercises and attacks where you can train on commonly used tools in network administration and defense, individual and red team/blue team exercises, and numerous attack scenarios where students and trainees must mitigate random attacks on industrial and enterprise networks.
To meet the test, CYRIN is continuously evolving to stay abreast of the cyber “arms” race. We constantly add new exercises and courses and our collaboration with partners like the Rochester Institute of Technology (RIT) help us add new tools to meet the existing challenges and new threats as they emerge.
But don’t take our word for it. Please take a look at our entire course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!
Coming in August - Part Two - Some of the solutions and ideas for filling the pipeline.