January 27, 2020 By Sue Poremba 4 min read

I recently came across a lively discussion on LinkedIn where the participants were debating the use of the term ‘cybersecurity’ when they really meant information security. The discussion eventually got lost in my feed, so I never saw if the participants came to a conclusion, but that conversation highlighted a question that was brought up in an (ISC)2 study released last fall: Is the inability to define security at the heart of the cybersecurity skills gap? If we can’t truly define what security is, how can organizations design the right cybersecurity jobs for their needs?

How Can There Be a Cybersecurity Skills Gap?

On the surface, it seems like people should be flocking to cybersecurity careers. Cybersecurity jobs are at nearly zero unemployment levels internationally, and the (ISC)2 study revealed that there is a global workforce gap of 4 million people. In the U.S. alone, there is a need for 500,000 more skilled workers. Clearly, the jobs are there, and the number of positions is only increasing as cyberattacks continue to escalate in terms of sophistication and payoff for cybercriminals

The jobs pay well, too. New professionals can expect to make $75,000, while average salaries for more experienced cybersecurity staff are well into six figures. Plus, the skill sets required tend to be more diverse than other IT-related jobs. In addition to tech skills, cybersecurity jobs also require skills that align with liberal arts and humanities fields, such as communications and psychology. This has the potential to open the door to a wide range of candidates.

What’s missing is an accurate job description, said Wesley Simpson, chief operating officer with (ISC)2, during a conversation at the company’s Security Congress in October. Hiring managers who write up job descriptions often don’t have a complete understanding of the actual skill needs for these cybersecurity careers. There is a tendency to become enamored with certifications, which a person often can’t qualify for until they have years of job experience.

However, many of these jobs that “require” certifications are essentially entry-level jobs, so the people who should be applying for them don’t because they don’t carry certifications. On the other hand, people who do apply may be over-qualified and see the position as a lateral move, which could lead them to turn an offer down.

Cybersecurity Skills Gap in Job Titles

The cybersecurity industry has done a rather poor job designing a typical career path, according to Simpson. Most college students have a good idea what type of job they’ll land or where their degree will take them. If you study accounting, you’re going to follow the path of an accountant. If you study mechanical engineering, you will likely have plenty of options, but you know your skills could translate well to designing cars, HVAC systems or rockets.

But those who study cybersecurity don’t always have such a well-defined path to follow. And as the LinkedIn discussion highlighted, the question of whether you’re studying cybersecurity or information security can make a difference. Furthermore, where do you place a student in a security and risk analysis major? Is that a business curriculum or should it be considered an IT track?

After these college kids graduate, they go into a job search where seven different titles could describe the same job. The (ISC)2 study listed the following popular cybersecurity job titles: Security Manager, Security Analyst, Security Consultant, Security Administrator. You might see a job ad seeking a Data Security Specialist or an Information Security Analyst, but if you look closely at the descriptions, most of these jobs have similar requirements, at least on paper. However, if one were to judge by the titles alone, these might sound like positions that would require different levels of experience or cover different responsibilities, which may discourage qualified applicants from applying.

Closing the Gap

Closing cybersecurity skills gap will take more than coordinating job titles and writing accurate job descriptions. It will require bringing together different entities from within the industry, including cybersecurity and information security leaders, academics, government agencies and vendors, to set true standards regarding what constitutes a cybersecurity job versus an information security job and how data analytics fits into data security needs.

With more developed industry standards, colleges can design more specific career paths for students, as well. This could also bridge the gap by enabling veterans to use their military experience to help companies address cyber threats.

Perhaps most importantly, with industry-defined parameters, organizations can remain better informed about their internal security requirements. There’s a one-size-fits-all mentality surrounding cybersecurity systems and security personnel, but having industry standards would allow organizations to design security programs that best fits their needs. In turn, this could result in job descriptions that more accurately outline job duties.

However, even these changes likely won’t improve the skills gap quickly. The need is too large, and the industry’s negative image (you only hear about security when bad things happen) is a serious deterrent to attracting new professionals. Also, cybersecurity is not a static industry — change is constant. Required skills will always be shifting, so the standards which govern today’s needs may not be the right standards in five years.

All that said, the stakes are getting higher. We’re moving from individuals and businesses getting hit with cyber attacks to entire cities being taken offline. To account for this, the skills gap must be addressed now, not later. Creating industry standards and coordinating an understanding of cybersecurity are likely the first steps toward closing that gap.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today