Corporate cybersecurity has a problem. And it's not just with high-profile data breaches, lagging technology tools or disparate or older systems that represent points of vulnerability in any security scheme. It's qualified workers. As in, where are they?Currently, the answer is: Missing in action. The IT security industry has matured light years faster than the workforce, creating a shortage of proficient employees to fill the ever-increasing number of IT security positions in private industry and government. That personnel gap rivals any experienced by the technology industry in decades. According to the “Cisco 2014 Annual Security Report,” the global shortage has reached as many as one million IT security pros, a shortfall expected to rise to 1.5 million by 2019 as the cybersecurity workforce grows to six million worldwide. And the gap may be widening. More recently, “The State of Cybersecurity: Implications for 2015,” a report released in January 2016 by the Information Systems, Audit and Control Association (ISACA), found that it takes 53 percent of organizations between three and six months to fill such jobs, and one in 10 organizations cannot fill them at all, leading to greater vulnerabilities and fewer controls or security policies which increase the risk of a breach.
“If you think about the growth of cybersecurity and how it has corresponded with the growth in IT, security has always been lagging behind,” says Rodney J. Petersen, director of the National Initiative for Cybersecurity Education (NICE), an interagency initiative within the federal government spearheaded by the National Institute of Standards and Technology (NIST). “The demand is out there, but the qualified professionals and the education programs are not.”
Similarly, Greg Touhill (left), deputy assistant secretary for cybersecurity and communications at the U.S. Department of Homeland Security, sees “numerous gaps that we as a society need to address in the United States, as do many of our international partners.”
The demand for experts is outstripping the pipeline, especially when it comes to technical education, Touhill says. “Not just for young people, but for people looking to change careers.” Indeed, even when these positions are getting filled, the so-called IT security “experts” filling them may not have the necessary skill set, access or expertise to tackle the job.
Michael Potters, CEO of the Glenmont Group, an executive recruitment firm specializing in legal and technology jobs, says there's no shortage of people who want positions, but being qualified is the issue. “These roles require hyper-qualified people and it's hard to transition to this space without certain knowledge and skills.”
And the potential recruits who do have the right qualifications and background, Potters (right) adds, are enjoying the strong demand for their talent – entertaining competing offers, staying put and taking counter-offers and, generally, driving up salaries.
Robert Martin, senior principal engineer for MITRE Corp., a nonprofit organization that manages a federally funded research and development center to support several government agencies, believes part of the issue is that long-time network security employees – who were trained on mainframes and taught to rely on a secure perimeter – are often ill-equipped to manage the new realities of today's mobile- and cloud-based and application-heavy systems. “This is not just about personnel power, but what we equip them with,” Martin says. “It requires a different way of thinking.”
And, despite all efforts to the contrary, this gap continues to grow, says James Arlen, director of risk and advisory services for Leviathan Security Group. “The demand is rising far in excess of private industry, schools and government's [ability] to make a difference.”
Jeff Snyder (left), president of SecurityRecruiter.com, filled his first executive search for an IT security position nearly 20 years ago. He says despite the tremendous demand which has exploded in the past two decades, there are still relatively few capable candidates who can fit the tall order for a high-level cybersecurity post.
Potters says the quick maturation and rapid changes in the IT security industry have contributed to a more frenzied focus on getting solid IT security talent. “There's been that ‘holy cow' moment for large companies and venture capitalists, and now everyone has their eyes on cybersecurity,” Potters says.
Martin Libicki, senior management scientist at the RAND Corp., a professor at the U.S. Naval Academy, says there has been a longstanding concern about the lack of IT security chops available to government, military and private industry. He believes that the number and severity of recent data breaches has brought the need for talented IT security specialists to the fore and, consequently, corporate loosened purse strings a little. “Labor market adjustments are always very slow,” Libicki says. “This is tough stuff.”
With that in mind, the government has been perhaps the most aggressive sector to push forward an agenda of educating and training new cybersecurity professionals. Through its NICE national initiative, it is working with organizations, as well as schools and colleges, to develop new programs for IT security education at various levels. Some of these programs will offer scholarships for service, so an aspiring cybersecurity professional could earn their degree for free in exchange for a few years of government service after they graduate, according to NICE's Petersen. “The next step is to get local and state governments involved,” he says.
Touhill at the DHS points to Raytheon as just one of the businesses that is more recently spearheading cybersecurity education initiatives and training programs as well. “We are seeing more and more companies that are investing in retooling their workforce, especially as more senior leaders are putting cybersecurity on the agenda,” he says. “We need to invest in training those existing employees, the ones with great interest and talent, who may be right under our noses already. We need to repurpose and retrain them, as well as recruit new cybersecurity professionals.”