I recently came across a lively discussion on LinkedIn where the participants were debating the use of the term ‘cybersecurity’ when they really meant information security. The discussion eventually got lost in my feed, so I never saw if the participants came to a conclusion, but that conversation highlighted a question that was brought up in an (ISC)2 study released last fall: Is the inability to define security at the heart of the cybersecurity skills gap? If we can’t truly define what security is, how can organizations design the right cybersecurity jobs for their needs?

How Can There Be a Cybersecurity Skills Gap?

On the surface, it seems like people should be flocking to cybersecurity careers. Cybersecurity jobs are at nearly zero unemployment levels internationally, and the (ISC)2 study revealed that there is a global workforce gap of 4 million people. In the U.S. alone, there is a need for 500,000 more skilled workers. Clearly, the jobs are there, and the number of positions is only increasing as cyberattacks continue to escalate in terms of sophistication and payoff for cybercriminals

The jobs pay well, too. New professionals can expect to make $75,000, while average salaries for more experienced cybersecurity staff are well into six figures. Plus, the skill sets required tend to be more diverse than other IT-related jobs. In addition to tech skills, cybersecurity jobs also require skills that align with liberal arts and humanities fields, such as communications and psychology. This has the potential to open the door to a wide range of candidates.

What’s missing is an accurate job description, said Wesley Simpson, chief operating officer with (ISC)2, during a conversation at the company’s Security Congress in October. Hiring managers who write up job descriptions often don’t have a complete understanding of the actual skill needs for these cybersecurity careers. There is a tendency to become enamored with certifications, which a person often can’t qualify for until they have years of job experience.

However, many of these jobs that “require” certifications are essentially entry-level jobs, so the people who should be applying for them don’t because they don’t carry certifications. On the other hand, people who do apply may be over-qualified and see the position as a lateral move, which could lead them to turn an offer down.

Cybersecurity Skills Gap in Job Titles

The cybersecurity industry has done a rather poor job designing a typical career path, according to Simpson. Most college students have a good idea what type of job they’ll land or where their degree will take them. If you study accounting, you’re going to follow the path of an accountant. If you study mechanical engineering, you will likely have plenty of options, but you know your skills could translate well to designing cars, HVAC systems or rockets.

But those who study cybersecurity don’t always have such a well-defined path to follow. And as the LinkedIn discussion highlighted, the question of whether you’re studying cybersecurity or information security can make a difference. Furthermore, where do you place a student in a security and risk analysis major? Is that a business curriculum or should it be considered an IT track?

After these college kids graduate, they go into a job search where seven different titles could describe the same job. The (ISC)2 study listed the following popular cybersecurity job titles: Security Manager, Security Analyst, Security Consultant, Security Administrator. You might see a job ad seeking a Data Security Specialist or an Information Security Analyst, but if you look closely at the descriptions, most of these jobs have similar requirements, at least on paper. However, if one were to judge by the titles alone, these might sound like positions that would require different levels of experience or cover different responsibilities, which may discourage qualified applicants from applying.

Closing the Gap

Closing cybersecurity skills gap will take more than coordinating job titles and writing accurate job descriptions. It will require bringing together different entities from within the industry, including cybersecurity and information security leaders, academics, government agencies and vendors, to set true standards regarding what constitutes a cybersecurity job versus an information security job and how data analytics fits into data security needs.

With more developed industry standards, colleges can design more specific career paths for students, as well. This could also bridge the gap by enabling veterans to use their military experience to help companies address cyber threats.

Perhaps most importantly, with industry-defined parameters, organizations can remain better informed about their internal security requirements. There’s a one-size-fits-all mentality surrounding cybersecurity systems and security personnel, but having industry standards would allow organizations to design security programs that best fits their needs. In turn, this could result in job descriptions that more accurately outline job duties.

However, even these changes likely won’t improve the skills gap quickly. The need is too large, and the industry’s negative image (you only hear about security when bad things happen) is a serious deterrent to attracting new professionals. Also, cybersecurity is not a static industry — change is constant. Required skills will always be shifting, so the standards which govern today’s needs may not be the right standards in five years.

All that said, the stakes are getting higher. We’re moving from individuals and businesses getting hit with cyber attacks to entire cities being taken offline. To account for this, the skills gap must be addressed now, not later. Creating industry standards and coordinating an understanding of cybersecurity are likely the first steps toward closing that gap.

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…