Unless you spent all of 2017 (and 2016 and 2015) marooned on a desert island, you are very aware that there is a severe cyber security talent shortage happening across the globe. Recent estimates have been trending upwards, with experts predicting a staggering 1.8 million open cyber security jobs by 2022 – unless we find a way to start filling seats quickly and continuously. But we’re hopeful that we can start shrinking the gap, and the first step in finding the solutions to this problem is understanding the reasons behind the shortage.
Few industries have suffered a resource shortage like this one, and the reasons behind this problem are unique to the security industry. Industry experts – incuding our own – have given a range of explanations for the shortage, but we see five key reasons at the root of all of these.
1. Cyberattacks have grown in frequency and complexity.
2017 saw some of the largest and most sophisticated breaches and cyberattacks of all time. In April, the ShadowBrokers hacking group released a number of tools that the NSA allegedly used for intelligence gathering, including the EternalBlue exploit, which was leveraged by other attackers in a number of notable attacks this year, including NotPetya and WannaCry.
Recently, we saw the credit giant Equifax fall to a breach that is estimated to have affected 143 million people. Many consider this to be the worst breach of all time, as incredibly sensitive data like SSNs, drivers’ license numbers, credit card data, and dates of birth were compromised. And then, Uber revealed that 57 million customers’ data was breached in 2016.
No industry is safe from these attacks. Catastrophic incidents are affecting those in unexpected places like critical infrastructure, healthcare, logicstics, and education, as well as the usual victims in financial services and retail.
The aftermath of these breaches has sent organizations scrambling to add more skilled cyber security professionals to their teams. With malware a persistent threat, teams need to find experts in detecting and responding to it as well as cyber forensic analysts to dissect it and prevent future attacks. With sneaky phishing attacks increasing, cyber security leaders need more security analysts to patrol the front lines of their defenses, deftly identifying and alerting the team of threats.
2. Enterprise technologies are a growing, valuable target.
Internal systems, tools, and networks are evolving and pose new risks to organizations. In a world where hackers exploit outdated software to breach organizations and have a library of knowledge of traditional networks, you need the best technology, proven processes, and the most advanced techniques to protect your organization.
Outside of the security team, organizations are using more tools to manage employee, customer, and proprietary data. Systems are larger, more people have access, and each business function has its own set of tools. To integrate these tools, many companies have developed homegrown platforms or tools that can present soft spots for attackers. On top of all of this, many enterprise workloads are moving to the cloud, adding additional complexity and introducing new third-party security concerns.
Each new system adds potential vulnerabilities and requires more experts to mitigate the risks. Network architects and software engineers with security knowledge are in high demand, and identity governance experts are needed to help manage access to these systems and tools.
In addition, end users of these platforms need to be aware of the threats they might face. Security teams need experts who can develop and implement security policies and best practices, and communicate these effectively to the rest of the organization.
Organizations aren’t going to slow down when it comes to adopting new systems or evolving existing ones. But without the right security experts, these new tools can be the source of a serious breach.
3. Everybody is hiring, all of the time.
Rapidly maturing threats and an increased attack surface, among other factors, have set organizations on a hiring binge, as they all seek more human resources to help slow the attacks. Right now, the average number of cyber security professionals per organization is 33, and we don’t see that number shrinking. In fact, 70% of employers around the globe are looking to increase the size of their cyber security staff this year.
The staffing crunch is compounded by the fact that cyber security is an enterprise-level concern for nearly all large organizations, in all industries. With the federal government bulking up its cyber security forces, and security consulting firms growing rapidly as well, there’s even more competition for the limited pool of existing skilled resources.
Smaller companies are getting into the game too. As cyber attacks on soft-target small businesses continue to rise, smaller and smaller businesses and non-profits are electing to hire dedicated security resources or outsource to cyber consultants – each of which adds more strain on the already overwhelmed labor market. Unfortunately, the tight labor market makes it nearly impossible for these smaller companies to offer competitive salaries or retain these resources.
Not since the dot-com boom of the late ‘90s has an industry been in this position: with virtually every company hiring for the same positions, at the same time. This rapid spike in hiring – across all industries and organizations – is driving the workforce gap higher and higher. Traditional talent development pathways (universities, vocational schools, etc.) are unable to keep pace with yesterday’s demand, let alone tomorrow’s, perhaps requiring a reworking of traditional cyber security hiring models.
4. Organizations only want skilled, experienced experts.
It’s not that college freshmen aren’t choosing technical majors or recent grads of the nation’s growing number of cyber security programs aren’t pursuing careers in cyber; they are. It’s that these new grads don’t have the years of hands-on experience and qualifications that most organizations think they need.
Because many organizations are rushing to get ahead of the next big breach, they are looking to hire professionals that are experts in their field. Ones that can jump right in and fill a number of gaps. At the rate attacks are occurring, this is understandable, but not necessarily sustainable. By simply looking at years of experience, employment history, and certifications, businesses artificially constrain themselves to a small pool of existing cyber professionals, ignoring a broader pool of motivated, talented, trainable employees.
In fact, many existing cyber security experts (87% to be exact) come from non-traditional backgrounds, like finance, accounting, the military, and business. Cyber security isn’t just about your experience combating threats or working with certain systems and tools - it’s also about your ability to communicate effectively, to think on your feet, and to develop creative solutions. While recent grads may not have the years of experience, many of them have strong soft skills and a desire to improve their technical skills. Organizations that think broadly and are willing to commit to the legwork of building a workforce development program can reap the benefits of that expanded talent pool.
5. There aren't enough women in cyber.
In 2016, women made up only 11% of the cyber workforce – a surprisingly low percentage that hasn’t budged in the past four years. The number of women seeking jobs in this field is stagnant, which shouldn’t come as a surprise. More than half of women in cyber security have faced discrimination in the field. In addition, women often don’t see the same opportunities to advance in the field, as men are nine times more likely than women to hold management positions in cyber security.
It is difficult to pursue a cyber career when you feel like an outsider in your field. But the industry hasn’t made many moves to embrace women in cyber security. Challenges like underrepresentation, a significant global pay gap, discrimination, and not feeling valued discourage women from joining the industry. And this, in turn, contributes directly to the cyber security workforce shortage.
As the number of unfilled seats rises, cyber security needs to adapt its view of women in cyber and change the mentality and practices that are holding them back. Over half of women under the age of 29 have a technical degree like computer science, indicating that if given the opportunity, young women in the field could dramatically shift the direction of this shortage. Industry research has shown that leadership programs, training opportunities, and sponsorship by a senior leader have helped women reach new heights within the field and pursue a career in cyber.
At the root of the cyber talent shortage is the inclination to choose the experienced over the less tenured. We can’t fault anyone for this. It’s natural to want to hire someone who has proven they can do the job (and maybe a few others while they’re at it) over someone who’s new to the industry and looking to learn. But as this shortage has proven, feeding this habit isn’t sustainable. There simply aren’t enough experienced hires to go around, and we’re leaving professionals with lots of potential and a desire to learn behind.
We’ve said it before, and we’ll say it again (and again and again), but constructing a program that gives your employees the opportunities to develop specific knowledge, skills, and abilities through hands-on experience can completely change your hiring equation. It can promote diversity, build up the next generation of cyber professionals, and improve retention. Within the program, you can identify the skills you lack, the roles you need to fill, and how weave those into functions within your organization. You can have a clear, comprehensive view of your cybersecurity organization and a plan to enable it. It’s sustainable and can protect your organization against tomorrow’s threats.
To learn more about how to build a workforce development program that grows the cyber security professionals you need, check out our virtual white paper, the Essential Guide to Cyber Workforce Development.