Corporate cybersecurity has a problem. And it's not just with high-profile data breaches, lagging technology tools or disparate or older systems that represent points of vulnerability in any security scheme. It's qualified workers. As in, where are they?Currently, the answer is: Missing in action. The IT security industry has matured light years faster than the workforce, creating a shortage of proficient employees to fill the ever-increasing number of IT security positions in private industry and government. That personnel gap rivals any experienced by the technology industry in decades. According to the “Cisco 2014 Annual Security Report,” the global shortage has reached as many as one million IT security pros, a shortfall expected to rise to 1.5 million by 2019 as the cybersecurity workforce grows to six million worldwide. And the gap may be widening. More recently, “The State of Cybersecurity: Implications for 2015,” a report released in January 2016 by the Information Systems, Audit and Control Association (ISACA), found that it takes 53 percent of organizations between three and six months to fill such jobs, and one in 10 organizations cannot fill them at all, leading to greater vulnerabilities and fewer controls or security policies which increase the risk of a breach.
“If you think about the growth of cybersecurity and how it has corresponded with the growth in IT, security has always been lagging behind,” says Rodney J. Petersen, director of the National Initiative for Cybersecurity Education (NICE), an interagency initiative within the federal government spearheaded by the National Institute of Standards and Technology (NIST). “The demand is out there, but the qualified professionals and the education programs are not.”
Similarly, Greg Touhill (left), deputy assistant secretary for cybersecurity and communications at the U.S. Department of Homeland Security, sees “numerous gaps that we as a society need to address in the United States, as do many of our international partners.”
The demand for experts is outstripping the pipeline, especially when it comes to technical education, Touhill says. “Not just for young people, but for people looking to change careers.” Indeed, even when these positions are getting filled, the so-called IT security “experts” filling them may not have the necessary skill set, access or expertise to tackle the job.
Michael Potters, CEO of the Glenmont Group, an executive recruitment firm specializing in legal and technology jobs, says there's no shortage of people who want positions, but being qualified is the issue. “These roles require hyper-qualified people and it's hard to transition to this space without certain knowledge and skills.”
And the potential recruits who do have the right qualifications and background, Potters (right) adds, are enjoying the strong demand for their talent – entertaining competing offers, staying put and taking counter-offers and, generally, driving up salaries.
Robert Martin, senior principal engineer for MITRE Corp., a nonprofit organization that manages a federally funded research and development center to support several government agencies, believes part of the issue is that long-time network security employees – who were trained on mainframes and taught to rely on a secure perimeter – are often ill-equipped to manage the new realities of today's mobile- and cloud-based and application-heavy systems. “This is not just about personnel power, but what we equip them with,” Martin says. “It requires a different way of thinking.”