The Supply and Demand Imbalance
The demand for cyber security professionals continues to tick upward. New data released on November 8 by CyberSeek, an online resource from NIST, quantifies the magnitude of the problem.
U.S. employers in the private sector posted more than 315,000 jobs for cyber security professionals from September 2017 to August 2018, up from 285,000 over the same period the previous year. Those open positions are in addition to the more than 715,000 cyber security professionals already employed in the U.S.
In practical terms, this has widened the gap between open jobs and the number of people qualified to fill them. In the cyber field, the ratio of existing cyber security workers to the number of cyber security job openings is 2-to-3.
In other words, every third seat in the SOC sits empty.
To put that into context, the U.S. labor market on the whole has an average of 5.8 employed workers per job opening. What makes the cyber security situation alarming is that the supply of unemployed cyber security workers sits nearly at zero, making those open positions increasingly difficult to fill.
In certain geographic markets, the problem is even more dire. Washington, D.C., currently has more than 44,000 open cyber security jobs, with 20,000 open in New York City, 12,000 in Dallas, and 11,000 in Chicago.
Closing the Cyber Security Hiring Gap
With few mission-ready cyber security professionals on the labor market, organizations are forced to find other ways of filling open security positions. Many leading security teams have found success building training and workforce development programs that create talent pipelines into their hardest-to-fill security roles.
To get started, many organizations focus on transitioning IT employees into cyber employees. In these "IT to Cyber" pipelines, existing IT professionals are put through a rigorous development program to build the baseline skills required of an entry-level cyber security professional. Because your existing IT employees have an understanding of your environment, as well as a natural technical aptitude, they can often be developed into effective security resources in less time and at less cost than attempting to hire a new resource in an demand-heavy labor market. These IT employees may be given initial training in areas like operating system security and network traffic analysis.
This same approach, of course, can be used with non-IT resources as well. As we've written elsewhere, there are many ways to spot hidden cyber security talent within your existing employee base. Sometimes existing employees in audit, finance, or marketing may have the key personality traits required of cyber security professionals.
If your entry-level skills gap is not a problem, you can focus instead on filling the more difficult cyber security positions - your malware reverse engineers, malware analysts, network security engineers, etc. Professionals with these skillsets are very difficult to find, and even more difficult to hire.
But a proper workforce development program works like a ladder in your security team, allowing your existing employees to climb into these top positions. If your workforce development program is mapped to specific roles, and the skills required of each role are defined, your employees know exactly what they must do to reach the next rung. As the security leader, your job is to find your employees the training and skills development courses they need to progress.
This sort of workforce development program requires an investment of time, money, and effort - but it's the only model in the market that allows organizations to permanently solve (not just temporarily patch) their cyber workforce shortage by creating the talent to fill positions and retain the ones worth keeping long term.
If you'd like to learn more about how Focal Point helps leading security teams develop talent, check out our virtual whitepaper, the Essential Guide to Cyber Workforce Development.