The cybersecurity industry is booming — but there aren’t enough skilled workers to go around. “More than 209,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74 percent over the past five years,” stated a Peninsula Press analysis of the data published by the U.S. Bureau of Labor Statistics (BLS).

Faced with an ongoing skills gap in information security, the security industry has become adept at finding its next hires by stealing them from a competitor or from federal or state agencies. While those in the field and in human resources are acutely aware of the need for talent, the message hasn’t traveled upstream to the source of that future talent — that is, students, parents, educators and career counselors.

Lack of Fast Solutions to the Skills Gap Issue

Few could have predicted the dire need for people in information security today. While higher education has responded by adding courses and degree programs aimed at placing people in information security, there are still fewer people in the pipeline than what is currently needed and, just as importantly, far fewer than are projected to be needed in the future. BLS data, which currently only tracks information security analysts, shows a growth potential pegged at 37 percent, which is “much faster than average.”

Part of the problem stems from the lack of information about careers in information security. This issue traces its roots all the way down to parents and school counselors not knowing about the full range of opportunities, or at best reducing the field to going to hacking school. Often, parents and students are told that the only way is to go through a traditional computer science program or a networking program, then switch into security. This may have been the reality 10 years ago, but it’s no longer the case: An increasing number of schools are offering graduate and even undergraduate courses feeding directly into information security careers.

As awareness of these career opportunities increases, so, too, are the number of students choosing to declare majors directly in those areas. There are many strong programs in cybersecurity across the U.S. However, traditional paths toward a four-year degree program will, by definition, only bear fruit years from now when students have graduated with their degrees in hand.

Going Closer to the Source

To alleviate the shortage of people, companies such as IBM have come up with worthy outside-the-box ideas. One such idea was announced back in 2010 when IBM teamed up with the City University of New York to create P-TECH, “a computer science-focused school in the city that spans from grade 9 to 14.” By the time students graduate from this special program, they would have an associate degree in hand. In June 2015, the partnership celebrated the first students to have completed the P-TECH program.

However, traditional schooling and the P-TECH program are unable to have an immediate impact on the supply chain of those with information security talent. There are a few other concepts to keep in mind when considering how your organization will address this skills gap.

Shortage Versus Retention

As the opportunities for switching jobs and signing on for more money abound in the field, companies should take another look at how well they are able to retain their existing security talent.

“If you wait until a valued employee’s exit interview to find out why he or she decided to move on, you’ve missed out on keeping a productive member of your team,” a CIO article pointed out. Recruit the right people (job hoppers are usually easy to spot on a resume), provide opportunities for continuing education and professional development and set a clear path for advancement.


Another possible option is for companies to leverage their existing workforce and transition, or cross-train, that workforce into taking a greater cybersecurity role. CSO Online recently highlighted the Herjavec Group, which did just that.

However, cross-training does not ultimately solve the skills gap. Instead, it shifts it from having to fill cybersecurity positions to having to fill broader IT-related positions (e.g., those that were pilfered to cross-train your existing workforce).


Another approach worth mentioning is that of cybersecurity consortia. Cybersecurity consortia have increased in popularity due to their ability to be more nimble than their pure academic counterparts, both from a financial standpoint and from the perspective of cutting through the red tape to make things happen. Consortia, usually organized as 501 (c) (3) organizations, bring together academia and companies in the cybersecurity industry, as well as involvement from federal, state and local governments.

Two such consortia worth mentioning are the Florida Cyber Alliance and the Minnesota Cyber Careers Consortium. Their mission is to advance and develop the talent of their workforce to address cyber issues. Both aim to bring together academia, government organizations and industry players to the table to encourage events, challenges and opportunities for growth and employment. Examples of such activities include:

  • Cyber camps and cyber competitions (the National Initiative for Cybersecurity Careers and Studies (NICCS) maintains an authoritative list of such events);
  • Security conferences;
  • Special career or academic programs, such as recruiting more female students to STEM fields or providing four-year degree options to those who already hold a two-year degree;
  • Security awareness initiatives, some even reaching to K-12 students.

While many other cyber and security academic centers exist around the country, the 501 (c) (3) consortia can provide a more agile and coordinated approach for industry partners by having a single point of contact for both the coordination of activities across multiple institutions and for dealing with the otherwise constrained financial administration required by public institutions of higher education.

Closing the Skills Gap

Working together, we can begin to make a difference in the cybersecurity talent shortage. Efforts will range from retraining existing employees to recruiting high schoolers into special educational pathways and bringing together the government sector, private sector and academia to share amazing opportunities for employment and growth in the ever-expanding field of cybersecurity.

More from Intelligence & Analytics

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today