The information security profession, which evolved largely in reaction to threats, is now paying the price of an entire “missing generation.” Companies are challenged finding pros with the combination of business and technical savvy that is needed to combat growing threats. Compounding this problem, educational institutions are not graduating enough students with the necessary skills or experience for entry-level positions. It is estimated that between 300,000 and 1,000,000 current cybersecurity positions are vacant. Demand is expected to rise as public, private and government sectors face unprecedented numbers of data breaches and cybersecurity threats.
The lack of qualified security talent leads to ripple effects throughout the industry and economy. There is a proven link between a weak security posture and lack of security expertise within an organization. Today, the lack of cybersecurity talent can be an organization's biggest vulnerability, exposing it to serious risk, and is even more dangerous than technology vulnerabilities. The lack of talent may even lead to inhibited economic growth.
"The onslaught of breaches...will continue to escalate."
Despite the spotlight on cybersecurity skills as a global priority, widely accepted career definitions are still evolving. This lack of consensus makes it difficult for the industry to attract new entrants and for pros to advance their careers.
One step in solving these issues is to begin defining common job titles. Imagine if “network security analyst” described the same position not only in the U.S. but also in other parts of the world. Common job titles would allow professionals to effectively re-late to their peers globally and even work in other countries. It would also allow them to focus their time and resources on building the skills and experience most relevant to their career path. And it would allow businesses to hire professionals based on standardized skill sets and expectations of roles.
Then, there is no clear career mapping for setting goals and growth. Many have the misconception that in order to grow and mature the ultimate endpoint is a security executive, which many believe to be the CISO. Nothing could be further from the truth. Not all security pros want to be a CISO, nor is a CISO the only executive position; there are those who are considered the same level with the titles of chief scientist or chief security architect. The important thing is that the career map fit the individual and that may include remaining as a “senior member” of a cybersecurity team.
It was over a year ago that the Information Systems Security Association (ISSA) started to investigate the cybersecurity skills gap and to evaluate how it could identify and deliver the services that are most appropriate to its mem-bers. What became clear is that there is an overarching need for an internationally accepted framework that defines the cybersecurity career for individuals in our profession. Thus the ISSA Cybersecurity Career Lifecycle (CSCL) was born.
It also became clear that this challenge cannot be solved by one single entity. It must be an industry-wide collaboration.
This is a key opportunity for the profession to stop being reactive and to begin to drive our own destiny. In response, the ISSA will be calling for participation in the International Consortium for Cybersecurity Education, bringing together key stakeholders from the public and private sectors around the world to find a common solution for this shared problem.
Without consensus and collaboration, the onslaught of breaches to corporations and threats to critical infrastructure will continue to escalate. To keep pace, we need to mature the cybersecurity profession into a proactive, not reactive, model.
Candy Alexander is senior GRC consultant at Towerwall; on the international board of directors at ISSA; and an ISSA Distinguished Fellow and a Hall of Fame recipient.