The cybersecurity industry is booming — but there aren’t enough skilled workers to go around. “More than 209,000 cybersecurity jobs in the U.S. are unfilled, and postings are up 74 percent over the past five years,” stated a Peninsula Press analysis of the data published by the U.S. Bureau of Labor Statistics (BLS).

Faced with an ongoing skills gap in information security, the security industry has become adept at finding its next hires by stealing them from a competitor or from federal or state agencies. While those in the field and in human resources are acutely aware of the need for talent, the message hasn’t traveled upstream to the source of that future talent — that is, students, parents, educators and career counselors.

Lack of Fast Solutions to the Skills Gap Issue

Few could have predicted the dire need for people in information security today. While higher education has responded by adding courses and degree programs aimed at placing people in information security, there are still fewer people in the pipeline than what is currently needed and, just as importantly, far fewer than are projected to be needed in the future. BLS data, which currently only tracks information security analysts, shows a growth potential pegged at 37 percent, which is “much faster than average.”

Part of the problem stems from the lack of information about careers in information security. This issue traces its roots all the way down to parents and school counselors not knowing about the full range of opportunities, or at best reducing the field to going to hacking school. Often, parents and students are told that the only way is to go through a traditional computer science program or a networking program, then switch into security. This may have been the reality 10 years ago, but it’s no longer the case: An increasing number of schools are offering graduate and even undergraduate courses feeding directly into information security careers.

As awareness of these career opportunities increases, so, too, are the number of students choosing to declare majors directly in those areas. There are many strong programs in cybersecurity across the U.S. However, traditional paths toward a four-year degree program will, by definition, only bear fruit years from now when students have graduated with their degrees in hand.

Going Closer to the Source

To alleviate the shortage of people, companies such as IBM have come up with worthy outside-the-box ideas. One such idea was announced back in 2010 when IBM teamed up with the City University of New York to create P-TECH, “a computer science-focused school in the city that spans from grade 9 to 14.” By the time students graduate from this special program, they would have an associate degree in hand. In June 2015, the partnership celebrated the first students to have completed the P-TECH program.

However, traditional schooling and the P-TECH program are unable to have an immediate impact on the supply chain of those with information security talent. There are a few other concepts to keep in mind when considering how your organization will address this skills gap.

Shortage Versus Retention

As the opportunities for switching jobs and signing on for more money abound in the field, companies should take another look at how well they are able to retain their existing security talent.

“If you wait until a valued employee’s exit interview to find out why he or she decided to move on, you’ve missed out on keeping a productive member of your team,” a CIO article pointed out. Recruit the right people (job hoppers are usually easy to spot on a resume), provide opportunities for continuing education and professional development and set a clear path for advancement.


Another possible option is for companies to leverage their existing workforce and transition, or cross-train, that workforce into taking a greater cybersecurity role. CSO Online recently highlighted the Herjavec Group, which did just that.

However, cross-training does not ultimately solve the skills gap. Instead, it shifts it from having to fill cybersecurity positions to having to fill broader IT-related positions (e.g., those that were pilfered to cross-train your existing workforce).


Another approach worth mentioning is that of cybersecurity consortia. Cybersecurity consortia have increased in popularity due to their ability to be more nimble than their pure academic counterparts, both from a financial standpoint and from the perspective of cutting through the red tape to make things happen. Consortia, usually organized as 501 (c) (3) organizations, bring together academia and companies in the cybersecurity industry, as well as involvement from federal, state and local governments.

Two such consortia worth mentioning are the Florida Cyber Alliance and the Minnesota Cyber Careers Consortium. Their mission is to advance and develop the talent of their workforce to address cyber issues. Both aim to bring together academia, government organizations and industry players to the table to encourage events, challenges and opportunities for growth and employment. Examples of such activities include:

  • Cyber camps and cyber competitions (the National Initiative for Cybersecurity Careers and Studies (NICCS) maintains an authoritative list of such events);
  • Security conferences;
  • Special career or academic programs, such as recruiting more female students to STEM fields or providing four-year degree options to those who already hold a two-year degree;
  • Security awareness initiatives, some even reaching to K-12 students.

While many other cyber and security academic centers exist around the country, the 501 (c) (3) consortia can provide a more agile and coordinated approach for industry partners by having a single point of contact for both the coordination of activities across multiple institutions and for dealing with the otherwise constrained financial administration required by public institutions of higher education.

Closing the Skills Gap

Working together, we can begin to make a difference in the cybersecurity talent shortage. Efforts will range from retraining existing employees to recruiting high schoolers into special educational pathways and bringing together the government sector, private sector and academia to share amazing opportunities for employment and growth in the ever-expanding field of cybersecurity.

More from Intelligence & Analytics

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…