Within IT, the skills shortage for various positions is fairly well known. There’s a hiring and education push for data scientists, IoT developers, and a host of other positions. An oftentimes overlooked but supremely important shortage is also occurring within cybersecurity. There’s a limited number of qualified people who understand the pressing need for improved cybersecurity and possess the right knowledge about best practices. This specific shortage is not just an inconvenience for companies and HR departments, it’s also a real risk for companies trying to protect their data, patents, and customer databases from breaches.
Measuring the Shortage
According to data from IDG, the cybersecurity skills shortage is worsening, with only 23 percent of IT management respondents noting a cybersecurity skills shortage issue in 2014, that percentage rose year-over-year to 51 percent in 2018. This represents both a growth in the demand for such roles as well as a broader acceptance of cybersecurity as an area of business that requires investment and focus.
Data from Cybersecurity Ventures notes there will be 3.5 million unfilled cybersecurity positions by 2021. And by that year there will be a cost from cybercrime of more than $6 trillion, a dramatic increase from current levels that should serve as a wake-up call for the entire industry. The shortage of qualified people to tackle the exponentially increasing cybersecurity risks is due to several market factors, and can be addressed through swift actions throughout the industry.
Big Players Grab the Talent
During the big buildup in Silicon Valley in the last 20 years, companies have hired software developers, system infrastructure experts, and others to help them build out a variety of services. These staff were focused on the user experience and driving growth, but they weren’t usually security-minded, but as breaches became more prevalent and impactful, these big companies such as Oracle, Microsoft, and Google began hiring the best talent on the security side. And these firms are then leveraging this top talent by offering their services with security features.
With demand quickly outpacing supply, there simply isn’t much talent left for other companies that need to protect their digital assets. So if a large accounting firm wanted to hire some security people for what should be a $125,000 a year job, they couldn’t pull them away from the $300,000 Silicon Valley offers. This has created a bit of a monopolistic situation, where companies are forced to spend more for expensive outsourced security instead of being able to hire one or two highly-skilled people. That’s a big part of the risk with the skills shortage, where the knowledge base of cybersecurity is now taken up by just a few giant companies, instead of spreading out to SMBs.
Smaller firms can tackle this issue by offering no ceilings for employees in regards to their job advancement. This means empowering them to look into other areas that are pertinent to their roles, and encouraging collaboration to help them develop broader context into the industry. Employers should aggressively promote and educate their top talent by providing them with cybersecurity training and resources that allow them to become integral parts of the organization.
Education isn’t Meeting Demand
Employers are trying desperately to bring onboard qualified cybersecurity people, but there’s simply not enough supply. Recruiters try their best, but they aren’t doing enough to determine if people that claim cybersecurity work on their resume truly have any relevant experience. Many firms make attractive offers to workers who are then proven to be incapable to implement best practices for cybersecurity or who even understand the threats. They’re “faking it” because the demand is so high, that even if they don’t succeed at one job, they have the safety net of massive demand from other companies.
Again it’s the breaches that have happened so frequently and with such momentum that are causing this problem. Education simply cannot catch up, and the industry as a whole is well behind on helping train internal staff on cybersecurity. There’s not enough effort on education to build an understanding of how to properly protect infrastructure and the types of threats that are out in the world today.
For employers, there’s massive attrition amongst the new hires, which in turn drives salaries to very high levels. Workers in this space can afford to “jump ship” frequently, and can readily find work regardless of their previous performance. And the industry itself is changing, with so many layers of risks, from ransomware and IoT intrusions to the challenges of protecting new technologies such as the blockchain. There’s such a need for education and basic comprehension of the issues, but cybersecurity courses have only been around for a few years and are far from creating a critical mass of qualified people. Employers at SMBs have limited budgets and need to carefully examine each candidate to reduce turnover. They can accomplish this through cognitive and background tests that identify candidates with the right talents for strenuous cybersecurity roles. Improving the hiring process across the board is a best practice that prevents firms from wasting time onboarding and training the right talent, and instead gives them a better chance to find the long-term staff.
Shortening the Gap
Improving the cybersecurity skills gap will require a commitment to education, both internally within companies and in universities. The risks of cybersecurity are persistent and growing, and colleges and professional associations should encourage interested individuals to commit to understanding the threats and best defenses of cybersecurity. Currently, there are people operating the security infrastructure that don’t completely know what they’re doing. It’s akin to operating an ocean liner without experienced sailors, engineers, navigators, and other staff. The ship’s bound to sink.
Until companies can be sufficiently staffed, they should look to third party experts and security solutions providers to provide at a minimum, easy-to-use solutions with guidance that protect access to valuable data. And these tools should protect the data itself, thus mitigating the risk of loss due to lack of on-staff experts. Technology tools such leveraging encryption, data access controls and automation solutions will also play a role in bridging this skills gap. Until there’s an abundance of education and the proper skill sets are available in the workforce, companies will need to create solutions that offer protection and are easily deployed and used without any complications. These tools need to be accessible for staff members that are working in cybersecurity but lack the requisite skills to get the job done properly without outside help. With the right intuitive and user-friendly tech tools, these workers can still protect networks while they continue their best practices training and develop advanced cybersecurity techniques.
[su_box title=”About Richard Blech” style=”noise” box_color=”#336588″][short_info id=’103677′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.