Cybersecurity dominates our global headlines with news breaking every day about breaches, ransomware attacks, foreign espionage, election tampering and more. Information security is now a top concern for every organization regardless of size or industry, and businesses and government agencies are investing in a wide array of security technologies in response. While it is admirable to see such investment, technology is only part of the solution. The real challenge we face in cybersecurity today is a people problem.
More specifically; Not enough of them.
With a global membership exceeding 125,000 cyber and IT security professionals, (ISC)² sees firsthand the challenges faced by understaffed information security departments, struggling to handle today’s threats. What our members experience and what our research tells us is that there are simply not enough skilled professionals available to meet our global security needs.
(ISC)² – along with the Center for Cyber Safety and Education – recently explored the state of the cybersecurity workforce through the most comprehensive study of its kind. The Global Information Security Workforce Study (GISWS) – with19,641 information security professionals from 170 countries participating – paints a stark reality; there will be a workforce gap of 1.8 million cybersecurity positions by 2022.
1.8 million unfilled cybersecurity positions by 2022 represents a 20 percent increase over the global forecast from the 2015 GISWS. Despite the rising profile of information security, the industry still faces a dearth of qualified and skilled professionals to fill these positions. A majority of our respondents – 66 percent – indicated that there are too few information security workers in their departments. Understaffed and overworked teams find themselves in a reactive position, rather than proactively improving the state of their organizations’ security. And while 70 percent of security hiring managers around the globe are looking to increase the size of their cybersecurity staff over the next year, without a deep pool of skilled, certified talent to draw from, that hiring activity won’t solve our real challenge.
Demanding the Right Skills?
Research also points to a disconnect between hiring managers and front-line security practitioners. We asked hiring managers what they are looking for in qualified candidates. Relevant security experience was important to hiring managers, with 93 percent ranking it either “very important” or “somewhat important.” Overwhelmingly, communication skills were number one among 66 percent of hiring managers – a trend we have seen continue to grow over the past several years – followed by analytical skills at 59 percent. Contrast that with practitioners identifying cloud security and risk management as their top priorities at 60 percent and 41 percent, respectively.
Workforce Shortage = Big Impact
So where does this leave us? What is the real impact of too few security professionals available to defend our data?
When asking respondents about the consequences of the workforce shortage, 50 percent said they would perform worse in recovering from a security breach compared to a year ago; 54 percent said they would perform worse discovering a breach; and 55 percent said they would perform worse having systems in place to prepare for a security incident.
Clearly, security teams are struggling to keep up with today’s threat landscape, and the fact that many believe they are regressing in their readiness is of great concern and places the need for fixing our skills shortage front and center.
Solving the People Problem
Filling the workforce gap will require our profession to ensure we build a broader, more diverse workforce. We must also look for ways to leverage existing security expertise in areas such as IT.
Our study found that the number of women in information security has remained at a painfully low 11 percent. Actively recruiting women to the field has been a topic of discussion to fill the cybersecurity workforce gap over the past several years. I am encouraged to see that more than half of respondents reported that their organizations had a program in place to hire underrepresented individuals.
Our research also reveals that enterprises and government agencies fail to give IT professionals – the very individuals implementing and operationalizing security strategies for most organizations – the training and responsibility they need to take on a more proactive cybersecurity role. This represents a significant missed opportunity considering that 87 percent of North American cybersecurity workers did not start their career in infosec – and 70 percent of them came from IT.
Cybersecurity is facing a talent deficit unlike any other industry, and searching outside the traditional scope of applicants will be key to filling the gap, solving our people problem and ultimately increasing the security posture of organizations worldwide.