The 2017 Global Information Security Workforce Study (GISWS) released in February 2017 forecast a shortage of 1.8 million cybersecurity workers by 2020, while a study by Cybersecurity Ventures estimates “3.5 million unfilled cybersecurity jobs” by 2021. While the projected magnitude of the shortfall varies from one study to the next, government experts, consultants, and pundits alike are unanimous in predicting that the current shortage of qualified cybersecurity workers will only get worse for the foreseeable future, a situation Steve Morgan has called “the greatest cyber risk of all.”
There is less agreement about why the shortage exists and, therefore, how to fix it. The traditional school of thought is that educational institutions haven’t prepared enough graduates to meet the growing need. The implied solution from this perspective is to increase educational capacity by creating new programs and increasing enrollments in all programs through better marketing and outreach efforts. Outspoken critics of this perspective, however, say that cybersecurity is not an entry-level position and that graduates of cybersecurity programs lack the technical depth required to be effective.
These critics offer an alternative perspective – cybersecurity professionals are not trained in the classroom but must be developed on the job after gaining expertise in IT operations. So rather than casting about externally for cybersecurity talent that isn’t available, IT managers should be looking within their own ranks for people who could be trained in security. For instance, in a 2015 Computerworld column, “The myth of the cybersecurity skills shortage,” Ira Winkler wrote, “The best security practitioners have experience in the technology and processes that they are supposed to secure…If you have no experience as a system administrator, you cannot maintain the security of a system.” He goes on to say that most of his work as a security professional has been to shore up poorly designed, poorly configured, and poorly maintained systems, which requires IT knowledge, rather than using hacking knowledge he gained in his training. But this perspective also has critics.
A third point of view is that IT managers who only look for security professionals with IT/computer science credentials are creating the shortage through their own myopia. In a Harvard Business Review article, Marc van Zadelhoff, General Manager of IBM Security, describes IBM’s approach of creating “new collar” jobs. They look for people with “unbridled curiosity, passion for problem solving, strong ethics, and an understanding of risks” – characteristics that can’t be taught – and then train them in the necessary technical skills through on-the-job programs, vocational and community college courses, and industry certification programs, such as those offered by (ISC)2. Supporting this view is the finding in the Global Information Security Workforce Study that 87% of current cybersecurity workers began their career in another field, some in other IT roles but many in non-IT fields.
So what’s the answer?
Like most difficult organizational problems, there is no single cause and, therefore, no single solution. Addressing the cybersecurity personnel shortage will require focused and creative efforts on the part of educators, managers, trade associations, and employees alike.
- Educators need to work closely with industry to identify the needed knowledge and skills to integrate into existing curricula or to serve as the basis for new programs.
- Managers, meanwhile, with support from HR and other training resources, may need to create their own internal on-the-job training programs for existing personnel, creating opportunities for lateral moves into security positions.
- Managers may also need to cast a wider net for potential security talent as IBM has done, looking for people with the necessary character and an eagerness to learn outside the IT ranks.
- Trade associations, such as ISSA and (ISC)2, can pool resources to raise awareness of high school, college, and midcareer professionals of available cybersecurity career options and the paths available for acquiring the needed knowledge and skills.
- Workers already in cybersecurity positions will need to adapt to their role as teacher/mentor to those moving into security positions, respecting those with non-IT backgrounds as possibly bringing in fresh perspectives.
Finally, even if there were an excess of cybersecurity pros, they cannot safeguard an organization alone. All workers, managers, and executives, from the front desk and loading dock up to the C-suite must come to recognize that cybersecurity is now a part of everyone’s job! More on this in the weeks to come.
Is a personnel shortage putting your organization at risk? Contact us for a third-party Security Risk Assessment to find out: 512.310.0020 or info@thirdrock.com.