According to a study by the Center for Cyber Safety and Education, by 2022, there will be a shortage of 1.8 million information security workers. It is essential that we graduate students entering the workforce to fill the vast number of positions available and use technology, safely, securely, ethically and productively.
Week 4 of National Cyber Security Awareness Month (NCSAM) encourages students and professionals to explore cybersecurity as a viable and rewarding profession. Key influencers – like parents, teachers, guidance counselors and state and local officials – will learn more about this growing field and how to engage youth in pursuing cybersecurity careers.
Cyberattacks continue to make headlines, and a cybersecurity talent shortage could add fuel to the fire: The Information Systems Audit and Control Association, or ISACA, a nonprofit information security advocacy group, forecasts a global shortage of 2 million cybersecurity professionals by 2019.
Every year in the U.S., 40,000 jobs for information security analysts go unfilled, and employers are struggling to fill 200,000 other cyber-security related roles, according to cyber security data tool CyberSeek. And for every ten cyber security job ads that appear on careers site Indeed, only seven people even click on one of the ads, let alone apply.
There is no doubt that the lack of cybersecurity talent has left the enterprise world vulnerable. According to a survey conducted by Enterprise Strategy Group (ESG) and Information Systems Security Association (ISSA), 69% of the respondents asserted that their organization has been impacted by the global cybersecurity skills shortage.
This skill shortage, in turn, has increased the workload of the respondents, forcing them to hire and train junior employees and preventing them from learning about and using security technologies.
Over 437 information security professionals were surveyed worldwide in the study, with the purpose of understanding the implications brought on by the talent shortage.
The majority of respondents said their organizations have experienced at least one type of security incident, and over 40% believed that their organization is vulnerable to one. Respondents cited cybersecurity teams not being large enough, a lack of cybersecurity training for non-technical employees, and management treating cybersecurity as a low priority as some of the factors responsible.
Creating More Cybersecurity Talent
Although cybersecurity is becoming more top of mind for organizations, and the cybersecurity industry itself is growing, it is a relatively new topic from a higher-education perspective. Cybrary COO Kathie Miley recently discussed the global cybersecurity talent shortage during a panel session at the 2017 ISSA International Conference.
“Cybersecurity schools and certifications have been around only for a short time and are still very expensive,” Miley said. “People who aren’t having their training paid for by their employer simply can’t afford it. It was inevitable that we were going to face this shortage without a really clear-cut way of providing them with those skills and practical work experiences that employers are expecting today.”
Miley suggests that one of the best places to address the cybersecurity talent shortage is by looking at the current IT staff within your organization. Since the techniques that are required to become a cybersecurity expert call for practical experience, organizations should be looking from within, transitioning IT professionals into cybersecurity roles.
“A lot of cybersecurity is administrative, a lot of it is operational, and a lot of it is network and application development. If we have [those] people who fundamentally have that foundation already built, then it’s not too far to get them up to the next level to become cyber experts,” Miley said.
Creating a Culture of Security
As mentioned during week 2 of NCSAM, cybersecurity in the workplace is everyone’s business, and the responsibility surrounding cybersecurity doesn’t stop with the IT department. Now more than ever, it is important for executives to make cybersecurity a top priority within their organization, as well as conveying that importance to everyone within the organization. Doing so will help to show the value that cybersecurity professionals bring to an organization, establishing a culture of security.
“Security is about enabling; the reason why organizations have a security team is so that you can get business done. To convey the value that cybersecurity professionals bring to an organization, senior security leaders should be vocal about their efforts and better articulate the benefits of risk management strategy,” says said David Goldsmith, CTO at U.K.-based NCC Group, panelist at ISSA.
Additional panelists suggested that another effective way to address the shortage of cybersecurity talent is by instilling an interest in cybersecurity among the younger generation by making STEM programs attractive to students.
“We have to make sure the up-and-comings know that the job exists,” Miley said. “I think we all do a terrible job in communicating what cybersecurity is, and we overcomplicate it … we drive them away from cyber instead of letting them know of the value that we are adding to the world.”
Cybersecurity Roles are a Lucrative Opportunity
A recent article published by Forbes shows that the lack of cybersecurity talent is creating lucrative, high-demand positions.
One of the most in-demand cyber security roles is security analyst, says Bill Bonifacic, who leads the cyber security practice at recruiting firm blueStone Recruiting. Security analysts work to prevent and mitigate breaches on the ground. In 2012 there were 72,670 security analyst jobs in the U.S., with median earnings of $86,170. Three years later, there were 88,880 such analysts making $90,120.
Another hot job is security manager, says Bonifacic. Security managers develop and implement overarching processes to keep information private. Often you’ll need a professional certification to be considered for such a role, like a CISM (Certified Information Security Manager) or CISSP (Certified Information Systems Security Professional).
Compensation for the most senior roles in cybersecurity, like chief information security officer, can reach $400,000, says Bonifacic. Cybersecurity jobs commanded a $6,500 premium over other IT jobs in a 2015 study by analytics firm Burning Glass.
If you’re interested in a cybersecurity career, where should you look? Large healthcare, financial and global manufacturing firms need armies of cybersecurity professionals, according to Bonifacic, as do professional services firms like Deloitte and EY.
And what type of experience stands out on a resume? If you’re coming from a large company that hasn’t been in the news for a data breach, that bodes well.
Stayed tuned for NCSAM’s final week, themed Protecting Critical Infrastructure From Cyberthreats.