If you’re a security professional you’ve probably heard we’re going to be 2 million security professionals worldwide by 2017. At least that’s what speakers at the Digital Skills Committee at the House of Lords in London said recently. The basic thought is that we’re not training enough students to be security professionals and there is an increasing need for security professionals as we face further reliance on the Internet for banking, commerce and entertainment.

Add to these pressures the expansion of Internet enabled devices, the Internet of Things, and you can easily see a shortage of 2,000,000 professionals within the next two years. The only problem is, we may be underestimating the number really needed by a factor of 50-100%.

Finding the Right People

Ask anyone who’s tried to hire a qualified security professional within the last five years and you’ll hear a story about the difficulty of finding the right people. Finding the right skill and the right person, even for an entry level security role is difficult. And it only gets more painful when you’re looking for someone more experienced or with a specific skill set that’s in high demand. It drives up the salaries in the field, it causes longer search times for candidates and it basically sets unrealistic expectations for new people coming into the field.

But the real reason we’re likely to suffer an even higher deficit in security professionals is two-fold. First is the concept of technical debt, more specifically security debt. Security has been an add-on for decades, something that was either ignored or added as an afterthought, which has only really been changing in recent times. We haven’t put the resources necessary in place to properly protect many of our systems, and that security debt has been gathering interest silently in the background. As we start digging into these problems, it’s likely we’ll find they are much bigger than they appeared because past deficits will be revealed.

The second, closely related issue is a rising storm of issues in older software, which are creating a new norm in security vulnerabilities. If you work in security and haven’t lost sleep to Heartbleed, Shellshock, Poodle or the latest bug in Drupal, you should consider yourself very, very lucky. And as the industry starts looking deeper into the old software we all rely on, as researchers re-examine foundational code that makes the Internet run, we’re going to have more emergency patches issued and lose more sleep to responding to the fire drills. The stress caused by this increase in emergency class events means we can’t continue doing incident response as normal, we will need new processes, new communication channels, and, most importantly, more people to be involved so that we don’t burn out the few people we currently have.

Making it Work

Long term, education is one of the biggest solutions to the deficit of security professionals, but it’s not going to help us within the next two years. The reality is that it takes more than two years to get a degree created and running in any discipline and while there are quite a few schools who currently have a security curriculum, it’s simply not enough. And a degree doesn’t make a security professional; there’s a certain level of curiosity tempered by cynicism and disbelief of the status quo that are needed. There are any number of challenges a security professional faces in their career, but one of the underlying threads is that you have to be prepared to dig a little deeper than the data suggests on the surface.

Short term, what we really need is to work harder at making security an integral part of business practices. We’ve talked about this integration for years, but at all too many companies, it’s still just something that we play lip service to. There are islands of support in development groups or IT, but how many companies can really say they have a security practice that has supporters and integration everywhere from the CEO down to marketing and sales? If we can’t find new people to hire in the near future, we need to modify our processes and procedures to take advantage of the people we do have outside the security team. If your incident response plans don’t include marketing for communication, sales for explaining the issues to your customer and the CEO for making the tough calls, then there’s still work to do around integrating with the business.

Eventually, market pressures will increase the number of people choosing security as a career, but it’s not going to be quick and it’s not going to be in the next two years. In the meantime, it’s going to take leadership that can make the most of the resources we do have and reaching outside what we traditionally think of as the security team. And the front line security professionals of today are going to have to become the leaders of tomorrow to teach all the new people coming in from colleges and farther afield.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…