At a time when cybersecurity careers should be flourishing — the pay is good, opportunities abound and many colleges now offer degrees in security — positions remain unfilled. ISACA’s “State of Cybersecurity 2019” survey revealed that 58 percent of organizations have unfilled security positions and 32 percent said it takes at least six months to fill these open jobs, a six percentage-point increase from the previous year. One reason for the cybersecurity skills gap is a lack of technical security expertise; another is a lack of business insights.

“The most prized hire within a cybersecurity organization is a skilled professional, who not only understands the business operation and how cybersecurity fits into the greater needs of the organization, but also knows how to communicate well,” said Frank Downs, director of cybersecurity practices at ISACA, in a press release about the report.

ISACA’s survey and other discussions on the issue, such as Tripwire’s “Cybersecurity Skills Gap Survey 2019,” look at the cybersecurity skills gap in a very broad sense, as if all cybersecurity jobs and needs are equal. Conversations from RSAC 2019 made clear, however, that if we want to fill the millions of cybersecurity jobs that are available, we need to look at the skills gap problem in different ways.

Focus on Specialized Careers

Cybersecurity Ventures predicted there will be 3.5 million unfilled cybersecurity jobs by 2021. Meanwhile, the global cost of cybercrime is expected to reach $6 trillion. Those numbers point to massive security failures if we don’t change our approach to cybersecurity hiring.

As Jon Oltsik, senior principal analyst at Enterprise Strategy Group (ESG), and Candy Alexander, president of ISSA International, noted during their RSAC presentation, it’s time we stop thinking about security-related jobs as a one-size-fits-all hiring. The skills shortage is most often defined as more jobs than people, but the bigger problem is that the people who might want the jobs don’t have the right skills. It isn’t a matter of having technical skills or business acumen, but rather of having specialized skills to meet very specific cybersecurity challenges.

The threat landscape has shifted dramatically over the past five years, yet many companies continue to focus their security attention on traditional concerns. While there is always going to be a need for professionals who understand how to protect a network from intruders or how to remove malware from a system, the new attack surface requires a higher level of expertise.

Right now, the greatest skills shortages are in cloud security, application security, security analysis and investigations, and risk/compliance administration. Oltsik and Alexander also noted how data privacy has added new responsibilities to the cybersecurity professional’s role. Privacy was once a concern for the legal department, but now, with all the new privacy regulations and the need to protect data so it honors privacy, there is a new level of training necessary and a new slew of security jobs opening up.

By focusing on the threat landscape and emerging attack vectors, potential security professionals should be able to specialize and put a greater emphasis on their training to match their interests and skill sets. Colleges could create more individualized capstone projects for students, and organizations could provide training for employees with skill sets and interests that can be honed to meet the specific challenges within the enterprise. This allows organizations to be more flexible in where they look for future cybersecurity staff.

While most internal searches begin and end in the IT department, it’s important to recognize that the new landscape encourages new mindsets. People with military or law enforcement experience bring insight that can aid in cybercrime investigations, strategy and forensics, for example, while those with a background in political science or psychology can better understand the mind of a threat actor or the geopolitical implications of an attack.

The Overworked Security Professional

The combination of the problems highlighted above and the increasing sophistication and volume of threats is contributing to employee burnout and influencing security professionals to leave the field. It’s more than being overworked — a problem caused in part because of the skills shortage.

Security staff are also responsible for getting the rest of the organization on board with cybersecurity best practices and making leadership understand the business impacts of cyber risks, neither of which are easy tasks. Too often, security is kept out of the loop when it comes to new projects, only being called on when disaster strikes. And again, the ever-changing threat landscape means they need to keep up with training, except they don’t have time to do so. Instead of focusing on prevention, security teams live in crisis mode, and that is wreaking havoc on their mental and emotional health.

New Approaches to the Cybersecurity Skills Gap

Solving the cybersecurity skills gap won’t happen overnight, but there are steps chief information security officers (CISOs) and other security leaders can take to make hiring easier. Start with these three:

  1. Rethink the need for certifications and experience. Too many organizations want seasoned professionals for entry-level positions and ask for certifications that require years of work experience. Instead, consider hiring prospects with the basic skills required by the job and offering more specific training.
  2. Encourage diversity. A quick look at RSAC attendees showed the lack of women and minorities within the industry, most of whom have a strong IT background. Again, it is a matter of matching skill sets with training.
  3. Begin mentoring programs. Start tapping into potential talent when they are in junior high. Offer high school students internships and scholarships. Building a talent network won’t solve the skills gap today, but it will build a pool to choose from in the next decade.

Technology alone isn’t going to solve the cybersecurity skills shortage. It will take engaging the right people, matching them with the right jobs and offering them the right training. It means recognizing security staff are humans, not machines, with attention paid to their work-life balance. If we don’t begin addressing the reasons for the skills shortage and come up with more creative ways to attract workers, we could see failures that could shut down some of the most critical infrastructures and systems we rely on today.

More from CISO

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…