If you’ve worked in the tech industry for some time or have even a passing interest in workforce trends, you likely already know about the never-ending nightmare of the cybersecurity skills gap. A quick Google search on “cybersecurity skills shortage” yields over half a million results, and there are numerous government and industry organizations like the National Integrated Cyber Education Research Center and the National Initiative for Cybercareers and Studies devoted to addressing the problem.
That said, it’s Halloween, so if you’re looking for some spooky facts, just think about the numbers related to this skills shortage—they’re alarming. According to non-profit IT security organization, ISC², there are currently 2.93 million cybersecurity positions open and unfilled around the world. Further, Cyberseek, a mapping tool of supply and demand in the security job market, reports over 300,000 open cybersecurity positions available in the U.S. alone. The current ratio of existing cybersecurity workers to cybersecurity job openings is 2.3, compared to the national average of 5.8 for all jobs. The most jobs available are in the Operate and Maintain areas, defined according to the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, as those that “provide the support, administration and maintenance necessary to ensure effective and efficient information technology (IT) system performance and security.” Jobs that Securely Provision followed closely behind, defined as those that “conceptualize, design, procure and/or build secure IT systems.” These jobs include specialty areas in risk management, software development, and testing and evaluation, among others. In addition, jobs requesting public cloud security skills, for example, remain open 79 days on average, which is longer than almost any other IT skill.
Trapped in the Funhouse
Unfortunately, the problem doesn’t seem to be getting any better. Another survey by the Information Systems Security Association (ISSA) and independent industry analyst firm Enterprise Strategy Group (ESG) found that the skills shortage is worsening for the third year in a row, impacting approximately 74% of organizations. The most acute skills shortages were seen in cloud security (33%), application security (32%) and security analysis and investigations (30%). Although nearly all (93%) respondents agreed they must maintain their skills if they hope to keep their organization secure, 66% also said it’s hard to keep up with evolving cybersecurity skills given the regular demands of their job. Another 47% of respondents said that the cybersecurity skills shortage has resulted in an inability to fully learn or utilize security technologies, meaning that even with budget and the best arsenal of security tools, the average security professional doesn’t have the time to take advantage of them.
“I think there is great awareness now about the shortage of cybersecurity professionals,” says Rear Admiral, United States Navy (Retired) Mike Brown, a ZeroNorth security advisor and president of Spinnaker Security LLC. “What we really need is a strategy to entice people to see how important and fun a role in cybersecurity can be. And, we need a strategy to entice others to help in the automation and orchestration of technology, in cybersecurity and other missions, so that people can focus on what they are good at—critical thinking—and machines can do that which they are good at—repetition and scale.”
Today’s security experts have a number of tools available at their disposal, all of which possess unique functions and processes. Developers often receive multiple tickets to fix the same existing vulnerability reported by these disparate tools, which is an obvious waste of time and resources.
John Steven, ZeroNorth’s Chief Technology Officer, puts it bluntly, “Try and hire someone—go ahead. There is profound shortage of talent, and the humans involved are faced with insurmountable water bailing.” If conventional processes don’t change, they translate into overworked staff, high labor costs and no economies of scale. Even though engineers are spending considerable time learning how to use each new tool, security teams still have limited visibility into overall risk because they cannot correlate all their data.
In a blog on SecurityRoundtable, journalist Mike Perkowski, addressed the cybersecurity shortage problem by noting, “Having talented people is obviously important, but relying primarily on human capital is a deeply flawed model, for one critical reason: It. Doesn’t. Scale. No one is saying that organizations—be they global 1000-class enterprises, cybersecurity consulting firms or security-as-a-service specialists—can get by with their current staffing levels. But hiring more people is not a scalable solution, not when more than a million new malware samples surface every single day and new or improved tactics are being leveraged by the bad guys.”
ZeroNorth’s Vice President of Engineering, Andrei Bezdedeanu, agrees. “I believe that people are aware of the lack of available talent when they try to hire in the security space. A better approach demands a shift in perspective. The way to compensate for a skills crunch is to implement platforms like ZeroNorth that are going to help you scale your security program.”
The cybersecurity skills shortage is not due to a lack of awareness about the problem or the lack of tools and training. It speaks more to the connectedness of our current world, as well as the ability of cyber criminals to outpace current cybersecurity employees. Put simply, our current way of doing security is burying us alive.
“Most people don’t understand just how much of our critical infrastructure is plugged into the internet and how devastating it will be if something like the power grid is compromised,” says Barry Walker, ZeroNorth Senior Software Architect. “Every aspect of our society is completely dependent on technology, and we still have a lot of people who don’t understand technology at even the most basic level. Until they experience the pain first-hand, I don’t think that will change.”
While these facts about the cybersecurity skills shortage are on par with Halloween-level concern, solutions are in the air. ZeroNorth’s founder Ernesto DiGiambattista suggests training from within, while David Ford, a ZeroNorth Software Engineer, notes that companies should “be more visible in their cybersecurity recruiting efforts, and to put more effort into ongoing formalized or in-house education for employees around cybersecurity.”
Tony Velleca, CEO of CyberProof, a UST Global company, adds, “Alleviating the staffing pressure requires broadening the scope of the search. Consider a more diverse workforce, search for recruits from broader technical backgrounds, and recruit from locations that may be more affordable. You can also consider outsourcing cyber professional from security service specialists that are able to bring in experienced professionals that can hit the ground running.”
The only way to wake up from this shortage nightmare and truly combat our cybersecurity demons, is to consider new approaches and tools that allow us to add more human and technology resources without sacrificing speed—and without compromising on security and compliance.