Cybersecurity Jobs Go Begging

Posted on by Robert Ackerman

In an era in which we chronically hear about a profusion of new low-paying jobs, there is a challenging and diversified specialty – the cybersecurity professional– that pays well and offers good advancement potential. And yet, we can’t come close to filling the demand for these types of workers.

Security pros protect critical information, which means they have an immediate impact on the businesses in which they work.  Cybersecurity is also a challenging puzzle and one that changes all the time, eradicating boredom. Because cybersecurity touches virtually every other IT discipline, cyber pros are also constantly learning.

As previously mentioned, the pay is good, too. According to New Horizons Computer Learning Centers, the median wage exceeds $90,000 annually, 9 percent more than other IT workers overall. In addition, the number of cyber jobs is projected to grow 18 percent annually through 2024, much faster than the average for all occupations. In fact, U.S. News & World Report ranked a career in information security analysis eighth on its list of the 100 best jobs for 2015.

1.5 Million Job Shortfall in Five Years

Nonetheless, nowhere near a sufficient number of qualified job applicants are biting. About 210,000 cybersecurity jobs are unfilled today, according to the Bureau of Labor Statistics, a number widely expected to keep growing. Frost & Sullivan has estimated that the global shortfall of information security work will reach 1.5 million workers in five years.

What is the problem?

Nobody knows for sure, but it appears to be part of the general reluctance among young Americans and their global counterparts to pursue STEM careers, a reflection of their perceived inability to master math and science and related disciplines. Companies sometimes will hire people with the right skill sets without a college degree, but a STEM bachelor’s degree is preferred and usually essential. Typically, certifications are also required down the road, especially the CISSP (Certified Information Systems Security Professional).

Another smaller but still prickly problem is that cybersecurity is not the same as computer science, another technical pursuit that also offers ample jobs -- and greater job diversity. Computer science courses are helpful, but insufficient to crack stubborn encryption cyber professionals also need to learn how systems work. Computer science doesn’t always explore this.

Boot Camps Help Ease the Challenge

Those with computer science degrees and other non-cybersecurity backgrounds can sometimes sidestep the cybersecurity job hurdle by enrolling in boot camps – intensive programs that accept non-programmer, train them in key skills and help them land jobs. In Denver, for example, startup SecureSet Academy is among the latest organizations to use the boot camp model to prepare cybersecurity job seekers for the career of their choice. Launched a year ago, SecureSet has since graduated 16 cyber pros and placed all of them in solid cybersecurity jobs. A similar number of fresh graduates are expected to join them shortly in the workforce.

Doing much the same thing is the City Colleges of Chicago (CCC), which recently became the first community college system to partner with the Department of Defense on a cybersecurity training program -- and one not limited to members of the military. The CCC program is becoming a model for other community college programs and, among other things, is helping prepare students for entry-level analyst positions.

This program happens to be free. But this is the exception, not the rule. More typically, SecureSet charges thousands of dollars for its 20-week program. And while their graduates have gotten jobs so far, they’re still likely to find themselves shut out of many other cybersecurity positions because they lack degrees.

Given the severe shortage of cybersecurity talent, a key question inevitably arises: Is this the way things should be? As businesses face ever-growing cyber threats, the lack of cybersecurity talent is downright dangerous. A recent report by Intel Security – “Hacking the Skills Shortage” – polled 775 IT decision-makers and found that 82 percent reported a lack of cybersecurity skills within their businesses. One in three said this makes them hacking targets.

Hiring Standards May Be Too High

Given the backdrop, I believe cybersecurity applicants are being judged too harshly. Some on-the-job training makes sense given the rapid growth of cybersecurity. So, too, would corporate partnerships with local colleges to create cybersecurity programs.

Companies also need to do a much better job providing adequate cybersecurity training. That way, the cyber pros they have on board can maintain their skills. This won’t bring in fresh talent but might prolong the stay of current cybersecurity employees, who constantly attract job offers. A survey of more than 430 security professionals by the Enterprise Strategy Group found that 56 percent believed their company did not provide adequate training to keep their skillset current.

For now, and the foreseeable future, there is no shortage of specialties for appropriately skilled cybersecurity pros. Seven come to mind:

  • Security analysis. This is the first job for many cyber pros. These analysts plan and activate computer system security measures.
  • Risk mitigation. This entails tracking security risks that have been identified, discovering new risks, and tracking risk throughout select projects. This position also involves brainstorming what might happen if there is a breach.
  • Data security. This has become a common job as organizations move to cloud computing. The job of data security pros is to protect company information from threats.
  • Network monitoring. This requires professionals who know what they’re looking for in networks and can make decisions rapidly when suspicious behavior is detected. They work in concert with advanced network monitoring apps.
  • Cloud security. Cloud security specialists analyze threats particular to cloud security. Dangers include data breaches, system vulnerability exploits, hijacked accounts, inadequate diligence and malicious insiders.
  • Intrusion detection. Experts in this area search for potentially harmful activity that could undermine the confidentiality, integrity or availability of information.
  • Secure software development. Most data breaches are successful because of vulnerabilities or flaws in software code. Specialists in this area patch code on a routine basis.

Cybersecurity Automation

While all these positions are crucial, it’s also important to note that cybersecurity automation has begun to play a role in coping with the shortage of skilled security professionals Increasingly common advanced persistent threats (APTs), for example, are spearheaded by automated bots, not human assailants, and, in fact, IT personnel are no match for such intensive, sustained attacks. Most humans do not have the ability to make quick decisions to manually address such attacks.

In addition, even the most skilled cyber professional tends to make occasional mistakes, which can be very costly. Automation helps mitigate this by removing the human element in appropriate circumstances.

A new cohort of orchestration/automation and analytics companies have begun filing the cybersecurity gap with technology solutions that confront automated attacks and/or materially increase the productivity of cybersecurity analysts. This helps address analyst shortages.

As cybersecurity issues continue to grow, it’s natural to wonder whether the salaries of cyber pros will climb still higher. This seems to be inevitable because there aren’t enough professionals to go around. And fatter compensation packages might begin to attract candidates from other disciplines, such as electrical engineering. For the foreseeable future, this might be the best possible way to address the talent shortfall.

Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs