I recently came across a lively discussion on LinkedIn where the participants were debating the use of the term ‘cybersecurity’ when they really meant information security. The discussion eventually got lost in my feed, so I never saw if the participants came to a conclusion, but that conversation highlighted a question that was brought up in an (ISC)2 study released last fall: Is the inability to define security at the heart of the cybersecurity skills gap? If we can’t truly define what security is, how can organizations design the right cybersecurity jobs for their needs?
How Can There Be a Cybersecurity Skills Gap?
On the surface, it seems like people should be flocking to cybersecurity careers. Cybersecurity jobs are at nearly zero unemployment levels internationally, and the (ISC)2 study revealed that there is a global workforce gap of 4 million people. In the U.S. alone, there is a need for 500,000 more skilled workers. Clearly, the jobs are there, and the number of positions is only increasing as cyberattacks continue to escalate in terms of sophistication and payoff for cybercriminals
The jobs pay well, too. New professionals can expect to make $75,000, while average salaries for more experienced cybersecurity staff are well into six figures. Plus, the skill sets required tend to be more diverse than other IT-related jobs. In addition to tech skills, cybersecurity jobs also require skills that align with liberal arts and humanities fields, such as communications and psychology. This has the potential to open the door to a wide range of candidates.
What’s missing is an accurate job description, said Wesley Simpson, chief operating officer with (ISC)2, during a conversation at the company’s Security Congress in October. Hiring managers who write up job descriptions often don’t have a complete understanding of the actual skill needs for these cybersecurity careers. There is a tendency to become enamored with certifications, which a person often can’t qualify for until they have years of job experience.
However, many of these jobs that “require” certifications are essentially entry-level jobs, so the people who should be applying for them don’t because they don’t carry certifications. On the other hand, people who do apply may be over-qualified and see the position as a lateral move, which could lead them to turn an offer down.
Cybersecurity Skills Gap in Job Titles
The cybersecurity industry has done a rather poor job designing a typical career path, according to Simpson. Most college students have a good idea what type of job they’ll land or where their degree will take them. If you study accounting, you’re going to follow the path of an accountant. If you study mechanical engineering, you will likely have plenty of options, but you know your skills could translate well to designing cars, HVAC systems or rockets.
But those who study cybersecurity don’t always have such a well-defined path to follow. And as the LinkedIn discussion highlighted, the question of whether you’re studying cybersecurity or information security can make a difference. Furthermore, where do you place a student in a security and risk analysis major? Is that a business curriculum or should it be considered an IT track?
After these college kids graduate, they go into a job search where seven different titles could describe the same job. The (ISC)2 study listed the following popular cybersecurity job titles: Security Manager, Security Analyst, Security Consultant, Security Administrator. You might see a job ad seeking a Data Security Specialist or an Information Security Analyst, but if you look closely at the descriptions, most of these jobs have similar requirements, at least on paper. However, if one were to judge by the titles alone, these might sound like positions that would require different levels of experience or cover different responsibilities, which may discourage qualified applicants from applying.
Closing the Gap
Closing cybersecurity skills gap will take more than coordinating job titles and writing accurate job descriptions. It will require bringing together different entities from within the industry, including cybersecurity and information security leaders, academics, government agencies and vendors, to set true standards regarding what constitutes a cybersecurity job versus an information security job and how data analytics fits into data security needs.
With more developed industry standards, colleges can design more specific career paths for students, as well. This could also bridge the gap by enabling veterans to use their military experience to help companies address cyber threats.
Perhaps most importantly, with industry-defined parameters, organizations can remain better informed about their internal security requirements. There’s a one-size-fits-all mentality surrounding cybersecurity systems and security personnel, but having industry standards would allow organizations to design security programs that best fits their needs. In turn, this could result in job descriptions that more accurately outline job duties.
However, even these changes likely won’t improve the skills gap quickly. The need is too large, and the industry’s negative image (you only hear about security when bad things happen) is a serious deterrent to attracting new professionals. Also, cybersecurity is not a static industry — change is constant. Required skills will always be shifting, so the standards which govern today’s needs may not be the right standards in five years.
All that said, the stakes are getting higher. We’re moving from individuals and businesses getting hit with cyber attacks to entire cities being taken offline. To account for this, the skills gap must be addressed now, not later. Creating industry standards and coordinating an understanding of cybersecurity are likely the first steps toward closing that gap.