The Cybersecurity Skills Gap Is Swelling at a Frightening Pace

Posted on by Robert Ackerman

By technology industry standards, the phrase “cybersecurity workforce development” has a promising ring, suggests cybersecurity skills can always be improved and might be expected to help attract qualified young cyber-workers interested in a bright future.

But does it really mean much in the stress-filled and chronically understaffed cyber-world? The answer is no, and not just because these folks are in extremely high demand.

Despite the ever-growing shortfall of cybersecurity talent amid relentless cyberattacks, corporate cyber-training in recent years hasn’t grown much and seldom attracts laurels from cyber-pros. Most surveys show that upgrade training is relatively scarce, contributing to severe workplace pressure and, ultimately, high turnover. Continuous cyber-training is lacking, in part, because there seems to be no time to learn while chronically fighting the next conflagration.

So, inadequate training persists. It’s a classic catch-22—companies don’t see much opportunity to teach and too many young people, observing this, avoid the field.

The good news is that the outlook isn’t entirely bleak. Solutions, in fact, exist.

One, most important, is to expand the talent pool. While an appropriate college degree is certainly useful, cyber-pros increasingly say it isn’t essential. At least one major technology company that has signed on to this thinking is IBM, which has created what it calls “new collar” jobs—jobs offering on-the-job cybersecurity training, industry certifications and access to community college courses to select job candidates.

Big Blue, in short, is prioritizing capability and willingness to learn over degrees. “New collar” jobs represent 20% of IBM cybersecurity hires since 2015.

The other key solution is to expand in-house training and development, perhaps by forming a partnership with an accredited university. One such example is ManTech, a Virginia-based government defense contractor, which has teamed up with Purdue University Global to develop a customized training program to “upskill” its cyber-workforce. Their employees have access to a three-course training program that can help them qualify to sit for the Certified Information Systems Security Professional (CISSP) certification examination. The training also helps ManTech bid on government contracts.

Undermining this good news, however, is pesky reality—at this point, companies have not been broadly pursuing these steps.

According to the latest annual cybersecurity worker survey by the Information Systems Security Association (ISSA), and Enterprise Strategy Group (ESG), an independent industry analyst firm, the cybersecurity skills shortage has worsened for the third year in a row, impacting nearly 75 percent of surveyed companies. Almost all respondents—93 percent—said they must maintain their skills if they hope to keep their organization secure. But 66 percent also said that time constraints make it hard to keep up with evolving cybersecurity skills. 

Making matters still worse is the COVID-19 pandemic. Corporate lockdowns have been driving many cybersecurity workers online, and skilled trainers have been slow to respond.

The overwhelming problem, of course, is the stunning shortage of cybersecurity talent. Depending on the source, there may be a gap of as many as four million cyber-pros globally. (ISC)2, the world’s largest nonprofit association of certified cyber-pros, believes the four million figure. In tandem, the US is nowhere near it needs to be.

Companies have been trying to cope, in part, by relying more aggressively on artificial intelligence and machine learning, but this is still at a relatively nascent stage and can never do more than mitigate the problem.

So, what kind of talent, exactly, do major companies want? Their preference is candidates with a bachelor’s degree in programming, computer science or computing engineering. The reality, however, is that cybersecurity has long embraced people with nontraditional backgrounds, such as system administrators and network engineers, who can do the job with some training in select tools and technologies. There should also be starting positions for motivated, bright young people without such backgrounds.

Here are a few job interview and hiring tips for companies now facing the new reality in cybersecurity staffing:

  • Think hard about the wisdom of maintaining degree requirements. Isn’t someone who has learned from a job in security or educated themselves often more qualified than someone who has spent those years attending lectures, especially if coupled with on-the-job training?
  • Hire for ability, not degrees or certificates. Instead, ask applicants for a portfolio of their work. What code have they shared on GitHub? What tools have they built? Are they active in any open source projects?
  • Interview with a case study, not a list of questions. For the “interview,” have candidates try to solve a case study on a whiteboard in real time, giving them a chance to showcase their abilities. This is far more helpful than a standard question-and-answer interview.
  • Expand location expectations. COVID-19 has shown that working remotely works. Take advantage of this. As soon as a position is advertised that must be within commuting distance of a specific city, the pool of suitable candidates shrinks.

Of all the problems unearthed by the aforementioned ISSA/ESG survey, perhaps the most serious is that 68 percent of cyber-pros complained that they don’t have a well-defined career path. This is bad. How many committed professionals in any field would be satisfied with sacrificing career goals? Those who aren’t sufficiently serious about their “career” are weak prospects. The introduction of crystal clear career ladders is absolutely essential.

Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs