Where are all the security pros?
Marcin Kleczynski, CEO, Malwarebytes
Ten years ago, cybersecurity was just a blip on the radar for most business leaders. Investments in security infrastructure were nowhere near where they are today and the role of the IT security professional was perceived no differently than that of any other IT staff.
Thanks to the influx of devastating data breaches in the public eye, IT security is finally becoming a priority – not only for IT professionals in every industry, but also for the C-suite. Corporate executives are more aware that security is a serious business issue and that neglecting important defenses can have serious financial consequences.
Understanding that, you may be thinking, “Wow, becoming a security professional is one of the most lucrative and stable career choices anyone could make.” And you'd be right. According to The Bureau of Labor Statistics, more than 209,000 cybersecurity jobs in the U.S. were open last year, with a median starting salary of $88,890.
Regardless of these statistics, people are not becoming security professionals and the ones that do either do not have the right skills or are dropping like flies. According to a Frost & Sullivan whitepaper, “2015 (ISC)2 Global Information Security Workforce Study,” by 2017 there will be a shortage of two million security practitioners around the world.
Without a reliable workforce of security professionals, many companies are being forced to task general IT professionals with all security initiatives, outsource everything or leave IT security partially unattended or neglected altogether.
Why are companies having such a hard time finding security experts?
Colleges are leaving money on the table – Schools today are simply not prepared to groom the next generation of security practitioners with basic security fundamentals. However, the enrollment opportunity on the table is huge as forward-thinking colleges can become the center of training for a booming field.
Existing security training doesn't include the right skills – Training needs to go beyond writing simple code and conducting log analysis. In the coming year, we're going to see an increased need for security skills for technologies that remediate breaches, such as incident response, forensics and event management.
There is a general disconnect between the market need for certain IT security skills and the training and knowledge that is made available. So, how can we fix this?
Increase targeted training and educational incentives – Making sure that IT professionals are presented with training incentives in very specific aspects of security is crucial. The top area for training and development for security professionals over the next three years should be dominated by the technologies that are powering today's businesses and require protection. Not surprisingly, cloud computing and bring-your-own-device (BYOD) top the list.
Foster talent from inside – Your star security professionals could be sitting right in front of you in your IT department, if given access to affordable, flexible security certification programs. More companies need to leverage programs like those offered by the SANS Institute and (ISC)2 to help their IT staff interested in security get access to important skills and training.
Automation is key – Managing IT security has become a beast that can be daunting for strapped teams. In order to prevent small security teams from burnout, we need to invest in tools that are able to automate a good chunk of essential security processes.
While we're seeing some strides being made in improving the education, recruitment and training of this workforce, we have a long way to go. If we are able to better align these initiatives with the skills drastically needed by companies we will all be able to rest easier knowing that our critical data is safer.