At a time when cybersecurity careers should be flourishing — the pay is good, opportunities abound and many colleges now offer degrees in security — positions remain unfilled. ISACA’s “State of Cybersecurity 2019” survey revealed that 58 percent of organizations have unfilled security positions and 32 percent said it takes at least six months to fill these open jobs, a six percentage-point increase from the previous year. One reason for the cybersecurity skills gap is a lack of technical security expertise; another is a lack of business insights.
“The most prized hire within a cybersecurity organization is a skilled professional, who not only understands the business operation and how cybersecurity fits into the greater needs of the organization, but also knows how to communicate well,” said Frank Downs, director of cybersecurity practices at ISACA, in a press release about the report.
ISACA’s survey and other discussions on the issue, such as Tripwire’s “Cybersecurity Skills Gap Survey 2019,” look at the cybersecurity skills gap in a very broad sense, as if all cybersecurity jobs and needs are equal. Conversations from RSAC 2019 made clear, however, that if we want to fill the millions of cybersecurity jobs that are available, we need to look at the skills gap problem in different ways.
Focus on Specialized Careers
Cybersecurity Ventures predicted there will be 3.5 million unfilled cybersecurity jobs by 2021. Meanwhile, the global cost of cybercrime is expected to reach $6 trillion. Those numbers point to massive security failures if we don’t change our approach to cybersecurity hiring.
As Jon Oltsik, senior principal analyst at Enterprise Strategy Group (ESG), and Candy Alexander, president of ISSA International, noted during their RSAC presentation, it’s time we stop thinking about security-related jobs as a one-size-fits-all hiring. The skills shortage is most often defined as more jobs than people, but the bigger problem is that the people who might want the jobs don’t have the right skills. It isn’t a matter of having technical skills or business acumen, but rather of having specialized skills to meet very specific cybersecurity challenges.
The threat landscape has shifted dramatically over the past five years, yet many companies continue to focus their security attention on traditional concerns. While there is always going to be a need for professionals who understand how to protect a network from intruders or how to remove malware from a system, the new attack surface requires a higher level of expertise.
Right now, the greatest skills shortages are in cloud security, application security, security analysis and investigations, and risk/compliance administration. Oltsik and Alexander also noted how data privacy has added new responsibilities to the cybersecurity professional’s role. Privacy was once a concern for the legal department, but now, with all the new privacy regulations and the need to protect data so it honors privacy, there is a new level of training necessary and a new slew of security jobs opening up.
By focusing on the threat landscape and emerging attack vectors, potential security professionals should be able to specialize and put a greater emphasis on their training to match their interests and skill sets. Colleges could create more individualized capstone projects for students, and organizations could provide training for employees with skill sets and interests that can be honed to meet the specific challenges within the enterprise. This allows organizations to be more flexible in where they look for future cybersecurity staff.
While most internal searches begin and end in the IT department, it’s important to recognize that the new landscape encourages new mindsets. People with military or law enforcement experience bring insight that can aid in cybercrime investigations, strategy and forensics, for example, while those with a background in political science or psychology can better understand the mind of a threat actor or the geopolitical implications of an attack.
The Overworked Security Professional
The combination of the problems highlighted above and the increasing sophistication and volume of threats is contributing to employee burnout and influencing security professionals to leave the field. It’s more than being overworked — a problem caused in part because of the skills shortage.
Security staff are also responsible for getting the rest of the organization on board with cybersecurity best practices and making leadership understand the business impacts of cyber risks, neither of which are easy tasks. Too often, security is kept out of the loop when it comes to new projects, only being called on when disaster strikes. And again, the ever-changing threat landscape means they need to keep up with training, except they don’t have time to do so. Instead of focusing on prevention, security teams live in crisis mode, and that is wreaking havoc on their mental and emotional health.
New Approaches to the Cybersecurity Skills Gap
Solving the cybersecurity skills gap won’t happen overnight, but there are steps chief information security officers (CISOs) and other security leaders can take to make hiring easier. Start with these three:
- Rethink the need for certifications and experience. Too many organizations want seasoned professionals for entry-level positions and ask for certifications that require years of work experience. Instead, consider hiring prospects with the basic skills required by the job and offering more specific training.
- Encourage diversity. A quick look at RSAC attendees showed the lack of women and minorities within the industry, most of whom have a strong IT background. Again, it is a matter of matching skill sets with training.
- Begin mentoring programs. Start tapping into potential talent when they are in junior high. Offer high school students internships and scholarships. Building a talent network won’t solve the skills gap today, but it will build a pool to choose from in the next decade.
Technology alone isn’t going to solve the cybersecurity skills shortage. It will take engaging the right people, matching them with the right jobs and offering them the right training. It means recognizing security staff are humans, not machines, with attention paid to their work-life balance. If we don’t begin addressing the reasons for the skills shortage and come up with more creative ways to attract workers, we could see failures that could shut down some of the most critical infrastructures and systems we rely on today.