There have been a lot of studies this year examining the cybersecurity workforce and skills shortage, but the (ISC)2 Cybersecurity Workforce Study 2019 has taken a different approach to analyzing the state of the cybersecurity shortage. (ISC)2 has been conducting this survey for more than a decade, and for the first time, it estimates the current cybersecurity workforce as well as the amount of additional trained staff needed to close the skills gap. The survey also included a wide mix of security professionals globally, whose responsibilities range from network security architecture to security compliance to risk management.
At a glance, the study matches up well with those other studies released recently: Most organizations report a staffing shortage and finding skilled security professionals is a top hiring concern, and nearly half of those surveyed expect to see their security budgets rise in the coming year. There are some complaints about work-life balance—something that often gets cited as a reason why people leave the field.
What this study also shows that you don’t always see is a breakdown of titles and job duties—which don’t always fit neatly into the scope of security professional—and where security professionals are coming from. Only 42% of respondents said their first job was in a cybersecurity field, meaning most of today’s security professionals are coming from other careers. Oh yeah, and cyber professionals are young: 65% are between the ages of 25 and 44, and a little more than a third have a bachelor’s degree. Another encouraging point to mention about this survey: 30% of the respondents were women.
So Why the Gap?
“The study provides actionable insights and strategies for building and growing strong cybersecurity teams,” Wesley Simpson, chief operating officer with (ISC)2, said in a formal statement.
During a conversation at (ISC)2’s Security Conference in October, Simpson said that if you look at this study and the industry at large, the skills shortage makes little sense. There is virtually no unemployment—the jobs are there, needing to be filled. Workers don’t have to go through a formal cybersecurity educational path; in fact, many recommend looking for a diverse set of skills such as communication and the ability to quickly learn new technologies from employees inside the organization. Cybersecurity professionals make good money, too: The average salary in North America is $90,000. And yet, the skills gap continues to grow.
There are a couple of reasons for this, in Simpson’s opinion. For one, the market isn’t able to keep up with the demand. The number of cyberattacks are skyrocketing, and will continue to increase as long as cybercrime remains profitable.
Also, the cybersecurity profession must deal with its negative reputation. “If you do a Google search on cybersecurity, you know what always comes up on that first page? A picture of a person wearing a hoodie, hunched over a computer in a dark room,” he said. How often do you ever see pictures of the cybersecurity good guys coming to the rescue?
Finally, while there is a clear need for all types of cybersecurity professionals, the industry has not created a consistent career path. Titles, job duties, salary grades are all over the place. Even though the diversity of backgrounds is seen as a positive overall, the downfall is that there is no defined career path.
“We have made this industry very complex because we haven’t banded together—in public sector, private sector, academics—to come up with a cohesive picture of what is cybersecurity,” Simpson said.
How Do We Close the Gap?
Closing the gap isn’t going to happen next year or even in the next decade. The pipeline into cyber careers has to begin long before college freshmen declare a major. When younger people are encouraged to develop interests in STEM subjects, cybersecurity should be introduced right along with coding, math and chemistry. High school students should learn what types of skills and interests match with a career in cybersecurity. “We have to look at ways to plant the seeds to get kids thinking about cybersecurity earlier,” Simpson said. “But we also need to encourage STEAM, adding the arts, to bring in those interested people.”
At the workforce level, organizations need to rethink their internal processes. Cybersecurity isn’t a career that easily fits a traditional job description or checks off all the boxes. There needs to be a more global approach to designing the job, and that has to start at the beginning when looking at resumes. If the scope of the job is too defined, when the only candidates who are interviewed meet a very hard list of requirements, you miss out on finding the diamond in the rough, someone who isn’t perfect now but could be.
But mostly, we need to create organizations where everyone is talking about cybersecurity, where the mystic is shattered and it becomes a day-to-day routine for everyone.
“Knowing where we stand and the delta that needs to be filled is a powerful step along the pathway to overcoming our industry’s staffing challenges,” said Simpson.