While we’ve been monitoring the cyber security talent shortage over the past couple of years, it exploded as a news story in 2017 – becoming the subject of dozens of think pieces, blog posts, and research studies. As workforce reports were released throughout the year, the numbers skyrocketed, and the buzz grew louder. But this exposure resulted in two problems: it’s now very difficult to grasp how large this issue really is, and companies have become too comfortable with the problem, deciding the problem is too big to solve or they don’t have a role to play in the solution.
But we want 2018 to be different. We want 2018 to be the year we start closing the cyber talent gap. Over the last decade, we’ve learned a lot about this problem and some ways out of it through our work with both government and commercial organizations. So in this post, we’re going to examine just how big this problem is and how it is affecting our industry, and then we’re going to look at some of the ways we can start making that 1.8 million number a little smaller.
The cyber security talent shortage spans the globe.
We’re reminded daily that cyberattacks like WannaCry and breaches like Equifax have a global impact. Like these threats, the cyber workforce shortage isn’t just a U.S. issue, but something impacting organizations around the world. The best estimate we have of the global workforce shortage comes from (ISC)2, which predicts the gap to hit 1.8 million in 2022. And that shortage is fairly evenly distributed: 68% of cyber security experts in North America say they don’t have the professionals they need on their security teams, as do 67% in Latin America and 66% in Europe. The issue isn’t distribution of cyber resources – it’s that there just aren’t enough of them out there.
While everyone is struggling with this shortage, the reasons for it vary by region. For example, more than half of those interviewed in North America said finding qualified personnel was the problem, but 50% of those in the Middle East and Africa attributed the problem to leadership not understanding the requirements for a strong team. The other top reasons include the inability to retain cyber employees and a lack of a defined career path.
The cyber security talent shortage is a problem of global proportions. If we are short on cyber professionals everywhere, it means we can’t hire our way out of the problem. We’re going to have to build up the cyber professionals we need by training recent grads, pushing more diverse backgrounds into the cyber job market, and building workforce development programs that define career paths and reduce turnover.
The talent shortage impacts the security of our organizations.
We’ve looked at the physical size of the problem, but now let’s look at its impact. Cyber security leaders across the globe cite a lack of cyber professionals as a reason they cannot respond effectively to threats. You can have the best tools and systems in place, but if you don’t have the resources to analyze and report on the data they collect, build the processes, take action, and manage the tools, you can’t be effective.
Nearly a quarter of security leaders believed that being understaffed had resulted in at least one security event in the past two years.
A quarter of security leaders listed a lack of trained personnel as their top hindrance. That’s an increase from last year’s Annual Cybersecurity Report from Cisco. (ISC)2 found that 66% of cyber security professionals don’t have the staff they need to identify and address threats, leaving their organizations exposed.
Other research found that nearly a quarter of security leaders believed that being understaffed had resulted in at least one security event in the past two years.
On top of this, the top constraint cyber leaders reported was budget, which has a trickle-down effect on hiring. Forty percent of cyber leadership in a recent study said they have to spend most of their time focused on critical threats, rather than developing and executing a security strategy. This means these leaders don’t have the time to prepare the workforce plans, justification for roles, and overall cyber strategy that the Board wants to see.
Experts are predicting that cybercrime will cost businesses $6 trillion annually by 2021. Soon organizations won’t be able to afford not to budget for the resources needed to protect themselves. As threats and attacks become more sophisticated and successful, we see the critical need for bigger, more skilled cyber security teams within our organizations.
It’s more than a number of empty seats – it’s a lack of skills.
We know the number of open jobs is more than a million. We know it’s increasing and we know it has an impact on the security of our organizations. But the cyber talent shortage is more than a number – it's a lack of talent. Beyond empty seats, cyber security leaders can’t find qualified team members – those with knowledge, skills, and abilities they can apply directly to their job. What each organization considers “qualified” varies, but we’ve identified a few things that apply across the board:
Hands-on experience and certifications are at the top of everyone’s list. But this approach means employers too often focus on senior professionals and overlook recent grads – which means they’re just re-using established professionals and eliminating a large number of candidates from an already small pool.
Certifications are still prominent on employers’ checklists. They’re an easy (if imprecise) way to measure capabilities – even though their reliability is sometimes debated in the industry. Nevertheless, 69% of open positions require one, which means that those who recently joined the workforce (or even those with years of practical, hands-on experience) are often filtered out of the hiring process before being given a true shot.
The problem is that the cyber security talent pool as it’s traditionally been defined (years of experience, certifications, etc.) isn’t big enough to meet our needs. But we may be sitting next to a veritable ocean of other resources – younger hires, diverse backgrounds, the certification-less – that have been overlooked. Tapping those sources is key to climbing out of the workforce shortage we’re in now.
It’s possible to change the numbers.
We know this looks pretty bleak. It’s a problem everywhere, it’s putting our businesses at risk, and current hiring practices are making it worse. But there is some good news: We can change the game.
Step 1: Change your hiring methods.
Traditional hiring methods don’t work in the field of cyber security. We have to start thinking outside the box. Rather than looking at years of experience and certifications, organizations should assess skills through aptitude tests. Rather than hiring only for technical skills, interviews should be conducted in a way that examines soft skills and key personality traits. Are they problem solvers? How are their communications skills? Instead of looking for one unicorn to fill three gaps, maybe it’s time to look at hiring three recent grads who can each grow in one of those jobs. It’s time to get creative.
Step 2: Include more women.
Women only make up 11% of the cyber workforce. That is abysmally lower than the general workforce. Traditionally, women have been discouraged from pursuing technical careers and often aren’t given the opportunities for advancement they need to have a successful cyber career. It’s time to stop making women feel like outsiders in this industry. We’re excluding half of the population from succeeding in a field where we are in desperate need of talent. Encouraging female students who show interest to pursue degrees and careers in cyber is important. Building women into leaders in this industry and giving them the opportunities they need to advance opens up a whole new pool of experienced, qualified talent.
If you want to hear directly from women about what we can do to bring more women into the cyber workforce, check out our series on the women changing the cyber security gender gap.
Step 3: Build (rather than hire) the team you need.
As our cyber teams grow and the need grows more urgent, waiting for the cyber pool to grow and chasing experienced hires aren’t sustainable options. Instead, we need to build workforce programs that bring in new grads or resources from other fields (i.e., IT, business, finance, the arts) and build them into the cyber experts we need. Workforce development programs that start with identifying the roles you need to fill and then developing the skillsets you need to fill those provides you with a reliable pipeline of security professionals. You’ll have to roll up your sleeves and put in the work at the get go, but it’ll pay dividends in the end
Cyber workforce development can completely change the odds of the cyber security talent shortage. We could go on using tired hiring methods and swapping professionals or we could cultivate entirely new streams of cyber talent, filling seats with skilled, qualified employees who are excited and ready to combat tomorrow’s cyber threats.
How do you get started? We’ve been helping organizations build these programs for years and built an interactive, step-by-step guide on how to get one off the ground. You can read it right here.