The cybersecurity industry is booming — but there aren’t enough skilled workers to go around. “More than 209,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74 percent over the past five years,” stated a Peninsula Press analysis of the data published by the U.S. Bureau of Labor Statistics (BLS).

Faced with an ongoing skills gap in information security, the security industry has become adept at finding its next hires by stealing them from a competitor or from federal or state agencies. While those in the field and in human resources are acutely aware of the need for talent, the message hasn’t traveled upstream to the source of that future talent — that is, students, parents, educators and career counselors.

Lack of Fast Solutions to the Skills Gap Issue

Few could have predicted the dire need for people in information security today. While higher education has responded by adding courses and degree programs aimed at placing people in information security, there are still fewer people in the pipeline than what is currently needed and, just as importantly, far fewer than are projected to be needed in the future. BLS data, which currently only tracks information security analysts, shows a growth potential pegged at 37 percent, which is “much faster than average.”

Part of the problem stems from the lack of information about careers in information security. This issue traces its roots all the way down to parents and school counselors not knowing about the full range of opportunities, or at best reducing the field to going to hacking school. Often, parents and students are told that the only way is to go through a traditional computer science program or a networking program, then switch into security. This may have been the reality 10 years ago, but it’s no longer the case: An increasing number of schools are offering graduate and even undergraduate courses feeding directly into information security careers.

As awareness of these career opportunities increases, so, too, are the number of students choosing to declare majors directly in those areas. There are many strong programs in cybersecurity across the U.S. However, traditional paths toward a four-year degree program will, by definition, only bear fruit years from now when students have graduated with their degrees in hand.

Going Closer to the Source

To alleviate the shortage of people, companies such as IBM have come up with worthy outside-the-box ideas. One such idea was announced back in 2010 when IBM teamed up with the City University of New York to create P-TECH, “a computer science-focused school in the city that spans from grade 9 to 14.” By the time students graduate from this special program, they would have an associate degree in hand. In June 2015, the partnership celebrated the first students to have completed the P-TECH program.

However, traditional schooling and the P-TECH program are unable to have an immediate impact on the supply chain of those with information security talent. There are a few other concepts to keep in mind when considering how your organization will address this skills gap.

Shortage Versus Retention

As the opportunities for switching jobs and signing on for more money abound in the field, companies should take another look at how well they are able to retain their existing security talent.

“If you wait until a valued employee’s exit interview to find out why he or she decided to move on, you’ve missed out on keeping a productive member of your team,” a CIO article pointed out. Recruit the right people (job hoppers are usually easy to spot on a resume), provide opportunities for continuing education and professional development and set a clear path for advancement.


Another possible option is for companies to leverage their existing workforce and transition, or cross-train, that workforce into taking a greater cybersecurity role. CSO Online recently highlighted the Herjavec Group, which did just that.

However, cross-training does not ultimately solve the skills gap. Instead, it shifts it from having to fill cybersecurity positions to having to fill broader IT-related positions (e.g., those that were pilfered to cross-train your existing workforce).


Another approach worth mentioning is that of cybersecurity consortia. Cybersecurity consortia have increased in popularity due to their ability to be more nimble than their pure academic counterparts, both from a financial standpoint and from the perspective of cutting through the red tape to make things happen. Consortia, usually organized as 501 (c) (3) organizations, bring together academia and companies in the cybersecurity industry, as well as involvement from federal, state and local governments.

Two such consortia worth mentioning are the Florida Cyber Alliance and the Minnesota Cyber Careers Consortium. Their mission is to advance and develop the talent of their workforce to address cyber issues. Both aim to bring together academia, government organizations and industry players to the table to encourage events, challenges and opportunities for growth and employment. Examples of such activities include:

  • Cyber camps and cyber competitions (the National Initiative for Cybersecurity Careers and Studies (NICCS) maintains an authoritative list of such events);
  • Security conferences;
  • Special career or academic programs, such as recruiting more female students to STEM fields or providing four-year degree options to those who already hold a two-year degree;
  • Security awareness initiatives, some even reaching to K-12 students.

While many other cyber and security academic centers exist around the country, the 501 (c) (3) consortia can provide a more agile and coordinated approach for industry partners by having a single point of contact for both the coordination of activities across multiple institutions and for dealing with the otherwise constrained financial administration required by public institutions of higher education.

Closing the Skills Gap

Working together, we can begin to make a difference in the cybersecurity talent shortage. Efforts will range from retraining existing employees to recruiting high schoolers into special educational pathways and bringing together the government sector, private sector and academia to share amazing opportunities for employment and growth in the ever-expanding field of cybersecurity.

More from Intelligence & Analytics

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Overcoming Distrust in Information Sharing: What More is There to Do?

As cyber threats increase in frequency and intensity worldwide, it has never been more crucial for governments and private organizations to work together to identify, analyze and combat attacks. Yet while the federal government has strongly supported this model of private-public information sharing, the reality is less than impressive. Many companies feel that intel sharing is too one-sided, as businesses share as much threat intel as governments want but receive very little in return. The question is, have government entities…

Tackling Today’s Attacks and Preparing for Tomorrow’s Threats: A Leader in 2022 Gartner® Magic Quadrant™ for SIEM

Get the latest on IBM Security QRadar SIEM, recognized as a Leader in the 2022 Gartner Magic Quadrant. As I talk to security leaders across the globe, four main themes teams constantly struggle to keep up with are: The ever-evolving and increasing threat landscape Access to and retaining skilled security analysts Learning and managing increasingly complex IT environments and subsequent security tooling The ability to act on the insights from their security tools including security information and event management software…