April 26, 2019 By Sue Poremba 4 min read

At a time when cybersecurity careers should be flourishing — the pay is good, opportunities abound and many colleges now offer degrees in security — positions remain unfilled. ISACA’s “State of Cybersecurity 2019” survey revealed that 58 percent of organizations have unfilled security positions and 32 percent said it takes at least six months to fill these open jobs, a six percentage-point increase from the previous year. One reason for the cybersecurity skills gap is a lack of technical security expertise; another is a lack of business insights.

“The most prized hire within a cybersecurity organization is a skilled professional, who not only understands the business operation and how cybersecurity fits into the greater needs of the organization, but also knows how to communicate well,” said Frank Downs, director of cybersecurity practices at ISACA, in a press release about the report.

ISACA’s survey and other discussions on the issue, such as Tripwire’s “Cybersecurity Skills Gap Survey 2019,” look at the cybersecurity skills gap in a very broad sense, as if all cybersecurity jobs and needs are equal. Conversations from RSAC 2019 made clear, however, that if we want to fill the millions of cybersecurity jobs that are available, we need to look at the skills gap problem in different ways.

Focus on Specialized Careers

Cybersecurity Ventures predicted there will be 3.5 million unfilled cybersecurity jobs by 2021. Meanwhile, the global cost of cybercrime is expected to reach $6 trillion. Those numbers point to massive security failures if we don’t change our approach to cybersecurity hiring.

As Jon Oltsik, senior principal analyst at Enterprise Strategy Group (ESG), and Candy Alexander, president of ISSA International, noted during their RSAC presentation, it’s time we stop thinking about security-related jobs as a one-size-fits-all hiring. The skills shortage is most often defined as more jobs than people, but the bigger problem is that the people who might want the jobs don’t have the right skills. It isn’t a matter of having technical skills or business acumen, but rather of having specialized skills to meet very specific cybersecurity challenges.

The threat landscape has shifted dramatically over the past five years, yet many companies continue to focus their security attention on traditional concerns. While there is always going to be a need for professionals who understand how to protect a network from intruders or how to remove malware from a system, the new attack surface requires a higher level of expertise.

Right now, the greatest skills shortages are in cloud security, application security, security analysis and investigations, and risk/compliance administration. Oltsik and Alexander also noted how data privacy has added new responsibilities to the cybersecurity professional’s role. Privacy was once a concern for the legal department, but now, with all the new privacy regulations and the need to protect data so it honors privacy, there is a new level of training necessary and a new slew of security jobs opening up.

By focusing on the threat landscape and emerging attack vectors, potential security professionals should be able to specialize and put a greater emphasis on their training to match their interests and skill sets. Colleges could create more individualized capstone projects for students, and organizations could provide training for employees with skill sets and interests that can be honed to meet the specific challenges within the enterprise. This allows organizations to be more flexible in where they look for future cybersecurity staff.

While most internal searches begin and end in the IT department, it’s important to recognize that the new landscape encourages new mindsets. People with military or law enforcement experience bring insight that can aid in cybercrime investigations, strategy and forensics, for example, while those with a background in political science or psychology can better understand the mind of a threat actor or the geopolitical implications of an attack.

The Overworked Security Professional

The combination of the problems highlighted above and the increasing sophistication and volume of threats is contributing to employee burnout and influencing security professionals to leave the field. It’s more than being overworked — a problem caused in part because of the skills shortage.

Security staff are also responsible for getting the rest of the organization on board with cybersecurity best practices and making leadership understand the business impacts of cyber risks, neither of which are easy tasks. Too often, security is kept out of the loop when it comes to new projects, only being called on when disaster strikes. And again, the ever-changing threat landscape means they need to keep up with training, except they don’t have time to do so. Instead of focusing on prevention, security teams live in crisis mode, and that is wreaking havoc on their mental and emotional health.

New Approaches to the Cybersecurity Skills Gap

Solving the cybersecurity skills gap won’t happen overnight, but there are steps chief information security officers (CISOs) and other security leaders can take to make hiring easier. Start with these three:

  1. Rethink the need for certifications and experience. Too many organizations want seasoned professionals for entry-level positions and ask for certifications that require years of work experience. Instead, consider hiring prospects with the basic skills required by the job and offering more specific training.
  2. Encourage diversity. A quick look at RSAC attendees showed the lack of women and minorities within the industry, most of whom have a strong IT background. Again, it is a matter of matching skill sets with training.
  3. Begin mentoring programs. Start tapping into potential talent when they are in junior high. Offer high school students internships and scholarships. Building a talent network won’t solve the skills gap today, but it will build a pool to choose from in the next decade.

Technology alone isn’t going to solve the cybersecurity skills shortage. It will take engaging the right people, matching them with the right jobs and offering them the right training. It means recognizing security staff are humans, not machines, with attention paid to their work-life balance. If we don’t begin addressing the reasons for the skills shortage and come up with more creative ways to attract workers, we could see failures that could shut down some of the most critical infrastructures and systems we rely on today.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today