By 2021 all large companies throughout the world will fill CISO roles, the study predicted.
By 2021 all large companies throughout the world will fill CISO roles, the study predicted.

A look out at the jobs landscape shows that over the next five years, positions in the cybersecurity field will triple, according to "The Cybersecurity Jobs Report," sponsored by Herjavec Group.

The global information security advisory firm predicts that – largely owing to increases in cybercrime – the number of cybersecurity job openings will hit 3.5 million by 2021.

Its analysis – based on a study of employment figures, analysts, job postings, vendors, governments and organizations globally – indicates that positions in the field are not keeping pace with the alarming spurt in cybercrime, the cost of which is expected to double to $6 trillion by 2021, up from $3 trillion in 2015.

”Unfortunately, the pipeline of security talent isn't where it needs to be to help curb the cybercrime epidemic," Robert Herjavec, founder and CEO at Herjavec Group​, said in a statement. "Until we can rectify the quality of education and training that our new cyber experts receive, we will continue to be outpaced by the Black Hats.”

Assembling statistics from a number of sources was only the beginning for this study. The job numbers don't paint a full picture of the impending shortage, wrote Steve Morgan, founder and editor-in-chief at Cybersecurity Ventures, and author of the report. "Every IT position is also a cybersecurity position now," he wrote. "Every IT worker, every technology worker, needs to be involved with protecting and defending apps, data, devices, infrastructure, and people."

Herjavec urged those in the field and those about to enter it to prepare themselves for the upcoming opportunities by pursuing their education in information technology or computer science. The opportunities in this field are endless, he said. "Gone are the days of siloed IT and security teams. All IT professionals need to know security – full stop. Given the complexity of today's interconnected world, we all have to work together to support the protection of the enterprise.”

The need begins at the top, he added. While only about a third of U.S. companies currently have a CISO position, he predicts that by 2021 all large companies throughout the world will fill CISO roles. The need is urgent, he explained, owing to the persistence and increase in cybercrime. "Organizations need security leadership with a solid or dotted line to the CEO in order to remedy the problem," he said.

The study explained that because of the skills gap, many corporations are entrusting security responsibilities to third parties. Citing a Microsoft study that estimated that by 2020, three-quarters of infrastructure will be operated by third parties (such as cloud providers and internet service providers), the whitepaper emphasized the service offered by a subset of such third-party providers: MSSPs (managed security service providers), which focus particularly on security.

The migration to outsourced security providers presents a dilemma, though: Making the right choice in provider to ensure the enterprise is defended is essential – one which can provide cyber defenses, cyber operations and security platforms to effectively combat an increasingly hostile threatscape.

“Having a partnership with a third-party security operations center (SOC) provider is beneficial to companies that have limited IT resources and lack internal security expertise” said Melissa Zicopula, vice president of Managed Security Services at Herjavec Group.

Herjavec referred to MSSPs as the new house alarm, providing logs from which data correlation can offer a picture of what's going on in the environment. "Security technology management keeps the system finetuned," he said. "But the secret sauce? That's in data enrichment. That's where the magic happens.”

This involves proactive threat detection and investigation. It's no longer enough to simply block and defend, Herjavec said. What's required for today's threats is the capacity to investigate and analyze. "Enterprises want to know where the threat originated, how they should respond and what can be done to contain the incident," he explained.

And, to achieve that, he said, organizations are turning to third-party providers.

"The cybersecurity workforce shortage is the biggest security risk – by a country mile – faced by organizations globally," Morgan told SC. "We published this report so that CEOs, CIOs, CISOs and HR chiefs don't get lulled into a false sense of cybersecurity and expect they will be able to recruit for positions on an as-needed basis the way they do for other IT positions."

Cybercrime is driving the need for an exponentially larger number of security workers each year, and the labor pool is simply not there, Morgan said. "Organizations have suffered through open positions for six months to a year at a time, and have hired the wrong people in the absence of qualified talent. The cyber threat is growing and companies need to get ahead of the curve. They need to always be recruiting, look to outsourced security providers, and tap into local colleges and universities. The cybersecurity labor epidemic is worse than the worst ransomware or malware we've seen."

Responding to Cybersecurity Ventures' report on the growing skills shortage, Ray Rothrock, CEO at RedSeal told SC on Wednesday: "If you're a security professional, this is great news. Or maybe it is not." But, certainly for millions of companies around the globe, this is a real wake up call, he said.

"So how do we prepare for this chronic skilled labor shortage? We need to learn to work smarter, to do more with less, to prioritize assets and vulnerabilities, to automate and integrate as much as possible. Utilizing the precious scarce talent will now take a lead to capital. We must surrender the notion that every cyberattack can be thwarted with great defense. There will not be enough centurions at the gate to keep the bad guys out of our networks. Despite all of the technology we have in place, sometimes the bad guys get in. But if we can truly understand how our networks are configured and operate, and understand where our vulnerabilities lie, we'll be prepared to better respond to attacks, protect our networks, and prevent a breach-- even in the face of a skilled labor shortage crisis."