I recently came across a lively discussion on LinkedIn where the participants were debating the use of the term ‘cybersecurity’ when they really meant information security. The discussion eventually got lost in my feed, so I never saw if the participants came to a conclusion, but that conversation highlighted a question that was brought up in an (ISC)2 study released last fall: Is the inability to define security at the heart of the cybersecurity skills gap? If we can’t truly define what security is, how can organizations design the right cybersecurity jobs for their needs?

How Can There Be a Cybersecurity Skills Gap?

On the surface, it seems like people should be flocking to cybersecurity careers. Cybersecurity jobs are at nearly zero unemployment levels internationally, and the (ISC)2 study revealed that there is a global workforce gap of 4 million people. In the U.S. alone, there is a need for 500,000 more skilled workers. Clearly, the jobs are there, and the number of positions is only increasing as cyberattacks continue to escalate in terms of sophistication and payoff for cybercriminals

The jobs pay well, too. New professionals can expect to make $75,000, while average salaries for more experienced cybersecurity staff are well into six figures. Plus, the skill sets required tend to be more diverse than other IT-related jobs. In addition to tech skills, cybersecurity jobs also require skills that align with liberal arts and humanities fields, such as communications and psychology. This has the potential to open the door to a wide range of candidates.

What’s missing is an accurate job description, said Wesley Simpson, chief operating officer with (ISC)2, during a conversation at the company’s Security Congress in October. Hiring managers who write up job descriptions often don’t have a complete understanding of the actual skill needs for these cybersecurity careers. There is a tendency to become enamored with certifications, which a person often can’t qualify for until they have years of job experience.

However, many of these jobs that “require” certifications are essentially entry-level jobs, so the people who should be applying for them don’t because they don’t carry certifications. On the other hand, people who do apply may be over-qualified and see the position as a lateral move, which could lead them to turn an offer down.

Cybersecurity Skills Gap in Job Titles

The cybersecurity industry has done a rather poor job designing a typical career path, according to Simpson. Most college students have a good idea what type of job they’ll land or where their degree will take them. If you study accounting, you’re going to follow the path of an accountant. If you study mechanical engineering, you will likely have plenty of options, but you know your skills could translate well to designing cars, HVAC systems or rockets.

But those who study cybersecurity don’t always have such a well-defined path to follow. And as the LinkedIn discussion highlighted, the question of whether you’re studying cybersecurity or information security can make a difference. Furthermore, where do you place a student in a security and risk analysis major? Is that a business curriculum or should it be considered an IT track?

After these college kids graduate, they go into a job search where seven different titles could describe the same job. The (ISC)2 study listed the following popular cybersecurity job titles: Security Manager, Security Analyst, Security Consultant, Security Administrator. You might see a job ad seeking a Data Security Specialist or an Information Security Analyst, but if you look closely at the descriptions, most of these jobs have similar requirements, at least on paper. However, if one were to judge by the titles alone, these might sound like positions that would require different levels of experience or cover different responsibilities, which may discourage qualified applicants from applying.

Closing the Gap

Closing cybersecurity skills gap will take more than coordinating job titles and writing accurate job descriptions. It will require bringing together different entities from within the industry, including cybersecurity and information security leaders, academics, government agencies and vendors, to set true standards regarding what constitutes a cybersecurity job versus an information security job and how data analytics fits into data security needs.

With more developed industry standards, colleges can design more specific career paths for students, as well. This could also bridge the gap by enabling veterans to use their military experience to help companies address cyber threats.

Perhaps most importantly, with industry-defined parameters, organizations can remain better informed about their internal security requirements. There’s a one-size-fits-all mentality surrounding cybersecurity systems and security personnel, but having industry standards would allow organizations to design security programs that best fits their needs. In turn, this could result in job descriptions that more accurately outline job duties.

However, even these changes likely won’t improve the skills gap quickly. The need is too large, and the industry’s negative image (you only hear about security when bad things happen) is a serious deterrent to attracting new professionals. Also, cybersecurity is not a static industry — change is constant. Required skills will always be shifting, so the standards which govern today’s needs may not be the right standards in five years.

All that said, the stakes are getting higher. We’re moving from individuals and businesses getting hit with cyber attacks to entire cities being taken offline. To account for this, the skills gap must be addressed now, not later. Creating industry standards and coordinating an understanding of cybersecurity are likely the first steps toward closing that gap.

More from CISO

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…

Laid Off by Big Tech? Cybersecurity is a Smart Career Move

Big technology companies are laying off staff as market conditions change. The move follows a hiring blitz initially triggered by the uptick in pandemic-powered remote work — according to Bloomberg, businesses are now cutting jobs at a rate approaching that of early 2020. For example, in November 2022 alone, companies laid off more than 52,000 workers. Companies like Amazon and Meta also plan to let more than 10,000 staff members go over the next few years. As noted by Stanford…