Cybersecurity professionals worldwide face an ever-evolving threat landscape that many feel they are ill-equipped to manage. Data breaches at corporations, educational institutions and government agencies continue to erode public confidence. The emergence of consumer goods such as wearable devices and self-driving cars, alongside the increasing connectivity of the systems managing critical infrastructure such as power plants and traffic signals are creating new threats to public safety, privacy, and economic stability.
This statement – the introduction to the Center for Cyber Safety and Education and (ISC)2’s 2017 Global Information Security Workforce Study – paints a vivid picture of the very real threat cybersecurity professionals are facing today.
The study, running since 2004, offers insights from 19,641 cybersecurity professionals representing 170 countries, revealing that, regardless of geographic location, data exposure is the top concern for information security professionals. In fact, two-thirds of respondents indicated that there are not enough cybersecurity workers in their organizations to meet the security challenges they currently face. David Shearer, CEO at (ISC)2 said:
“There is a definite concern that jobs remain unfilled, ultimately resulting in a lack of resources to face current industry threats – of the information security workers surveyed, 66% reported having too few of workers to address current threats. We’re going to have to figure out how we communicate with each other, and the industry will have to learn what to do to attract, enable and retain the cybersecurity talent needed to combat today’s risks.”
An Abundance of Cybersecurity Positions – But Not Enough Qualified Candidates
The workforce study sheds light on the fact that today’s businesses are experiencing significant delays of over 6 months in order to fill IT security job vacancies, while organizations are finding that half or more of the cybersecurity job applicants are unqualified. In the US alone, every year employers are failing to fill 40,000 information security analyst jobs. That figure jumps to 200,000 when you factor in all IT security related jobs.
The shortage of qualified employees for IT security roles are placing a giant strain on current information security professionals and their organizations. Research conducted by ESG has found that 51% of organizations report having a significant shortage of cybersecurity skills in 2018, up from 45% in 2017.
The skill shortages bring numerous implications. Organizations are operating in an understaffed mode, while IT security teams lack advanced skills in analytics, forensic investigations and cloud computing security, leaving little time for ongoing cybersecurity training.
Cybersecurity professionals are feeling the pinch, and 62% of current security IT employees feel that their organizations do not provide enough training to keep up with business and IT risks. Other effects include:
- 70% of cybersecurity professionals say the cybersecurity skills shortage has had some impact on their organization. Of course, they are living this impact.
- 63% of cybersecurity professionals say the cybersecurity skills shortage has increased the workload on existing staff. More work and stress at the same salary is a surefire recipe for dissatisfied employees and high attrition.
- 41% of cybersecurity professionals say the cybersecurity skills shortage has led to a situation where the IT security staff spends a disproportional amount of time dealing with high-priority issues and incident response. This means that many cybersecurity pros face a high-stress workplace from the beginning to the end of their workdays.
- 68% of cybersecurity professionals believe that a cybersecurity career can be taxing on the balance between one’s personal and professional life. In other words, information security pros are taking the pressure of their jobs home with them.
- 38% of cybersecurity professionals say the cybersecurity skills shortage has led to high burnout rates and staff attrition. This affects cybersecurity pros and the organizations they work for.
How Did We Get Here?
There is no doubt that the rise in cybersecurity threats has greatly helped to create a gap in IT security skills and professionals. In 2017, the number of U.S. data breach incidents tracked hit a new record high of 1,579 breaches, according to ITRC and CyberScout’s 2017 Data Breach Year-End Review. The Review indicates a drastic breach upturn of 44.7%, an increase over the record high figures reported for 2016.
Year after year, we have seen an increase in cyber threats that hit organizations in all industries across the board. As the numbers continue to rise, and cybercriminals continue to find new methods to commit cyber fraud, organizations will continue to function in damage control mode, scrambling to clean up the mess that is left after a data breach occurs – hardly the ideal time to close the gap on the IT security deficit.
Security experts believe that not only have businesses underestimated the scale of the problem that cybercrime poses and the speed at which the crisis in job recruitment has been growing, they have also failed to communicate the massive need for IT security professionals to policy makers, educational institutions and the public at large. Additionally, instead of looking outside the box of the traditional IT career paths to recruit from a wider talent pool, organizations are failing to see IT security as a completely separate area of business, distinct from IT and tasked with communicating and strategizing right up to executive level.
Closing the Gap
In the midst of this IT security deficit, there is also good news. The 2017 Global Information Security Workforce Study reports that hiring is on the rise, with 70% of hiring managers increasing their workforce this year – with 30% expanding 20% or more. Healthcare, retail and manufacturing – industries often hit the hardest by data breaches – are most interested in expansion, with nearly 40% in each sector wishing to increase their workforce by 15% or more.
More good news – the increase in cybersecurity hiring comes at a time when the salaries for these positions are increasing. The “Robert Walters Salary Survey 2018” predicted that salaries for cybersecurity jobs around the world will rise by 7% in 2018. In addition, the recruitment firm estimated that all IT roles will see an average increase of 2% in salary.
Along with hiring talented professionals, there are many additional steps that organizations can take to address – and improve – the challenges of IT security recruitment.
Business to Community’s recent article, The Great IT Security Jobs Crisis, offers ways organizations can address the IT hiring problem, with an emphasis on developing a new mindset when it comes to hiring IT staff.
Employees need to start thinking about how they can attract candidates from outside normal career and even educational routes into the profession. There is undoubtedly a hugely talented pool of self-taught individuals out there. Many of these people may not have the qualifications needed to get noticed in the industry, but finding ways to get them in at the ground level could open up a largely untapped source of real talent.
Even with efforts by organizations to increase hiring, experts state that as demand has historically outpaced supply, the gap will continue to grow if organizations do not embrace change.
Nearly 90% of the global workforce is male, a number that remains unchanged, and the majority arrive in information security with a computer science or engineering background. It is clear, as evidenced by the growing number of professionals who feel that there are too few workers in their field, that traditional recruitment channels are not meeting the demand for cybersecurity workers around the world. Hiring managers must therefore begin to explore new recruitment channels and find unconventional strategies and techniques to fill the worker gap.
Change often takes time, but universities are already recognizing the need to better prepare their students with the latest and best cybersecurity training.
Now, a professor in the University of Virginia’s School of Engineering and Applied Science is partnering with Facebook and CodePath.org to offer students a curriculum designed to give them more hands-on training in combating digital threats, which are often difficult to replicate in classroom environments.
The training, which is designed to teach fundamentals and give students a chance to fight off simulated cyberattacks, shows the many different fields of study that touch cybersecurity.
While one computer science student is interested in how to change the way electronic health records are stored and saved, another is learning to code new algorithms in digital security, and a third student is interested in the security implications of the so-called “Internet of Things,” or the connected devices that run on home wireless networks.
UVA is one of a handful of schools nationwide using the training, which is a great start in preparing the next generation for best practices in cybersecurity training.
The future of IT security will not stay the same as it is today. We will either see the IT security gap continue to widen if change is not implemented, or new recruitment channels and cybersecurity programs adopted that will strengthen with IT workforce.