Security breaches and digital attacks are a regular part of the news cycle these days. An even scarier reality is that, according to experts, there aren't enough people trained to fend off these cyber raids.
A frequently cited report from networking giant Cisco estimates that more than 1 million worldwide security jobs sit unfilled. And a 2015 report from ISACA (a body formerly known as the Information Systems Audit and Control Association) found that 86% of polled members agreed that cybersecurity is an understaffed industry. Only 38% felt prepared to deal with a sophisticated digital attack.
"I think the shortage is absolutely dire, and it’s one of the bigger contributing factors to the failures of information security that we’re seeing over the past several years," says Eddie Schwartz, chairman of ISACA’s Cybersecurity Advisory Council and president and CEO of the security firm White Ops.
The scarcity of employees with proper skills began around the turn of the century, Schwartz says. It has been compounded by the focus—by both schools and the industry—on training workers in security basics typically required by corporate compliance standards. Consequently, issues like patching known vulnerabilities and installing firewall and antivirus software take precedence over more complex techniques necessary for fending off modern sophisticated attacks. "Most of these compliance frameworks were not tuned to be able to handle a world of advanced threats," Schwartz says.
Also difficult to find are workers with expertise in so-called white hat hacking techniques, like conducting penetration tests to find vulnerabilities, just as malicious hackers would do. "There isn’t a real educational track," says Mike Weber, vice president at the Colorado-based security company Coalfire, where he heads up the Labs Division. "There isn’t a real career path to get to that end, to become that guy."
Another challenge is that it's difficult to enter the cybersecurity field straight out of college, since graduates need a certain amount of more general tech-industry experience to learn to identify where vulnerabilities might lay—where rushed engineers would take shortcuts to get a server online, for instance, or to ship an app by deadline.
"The way to be able to identify mistakes is to know where where one would make them oneself," Weber says. "It’s really a role of reverse-engineering, and in order to be able to reverse-engineer something, you need to be able to forward-engineer it."
To help fill the demand for security professionals, a number of industry groups, including ISACA and universities, are beginning to offer hands-on training in white hat hacking techniques.
Vermont’s Norwich University, known as the nation’s oldest private military college, offers graduate level courses and certificate programs in cybersecurity that include instruction in forensics and vulnerability management.
"The penetration testing lab itself was developed a number of years ago in response to a direct request from a large company that wanted us to be able to train their in-house IT people in penetration testing," says Rosemarie Pelletier, program director for the university’s information security and assurance master’s degree program.
Among the programs' students are often security professionals looking to fine-tune their skills and members of the military in need of training to transition into civilian careers. Few have trouble finding work after graduation. "Those with good skill sets, with good, solid credentials, are snapped up in a heartbeat," Pelletier says.
Offensive Security, the company known for developing the Kali Linux ethical hacking-focused operating system, offers its own training and certification programs that are built around hands-on work, not written exams.
"Our base level, foundational level certification is a 24-hour exam," says Offensive Security president Jim O’Gorman. "You connect into a network that has a certain number of systems. You have a number of tasks that are put in front of you. You either accomplish those tasks or you don’t. You write a document explaining those results, and then that’s graded based on a predetermined and communicated set of criteria. And then you either pass or fail."
But even as training programs turn out graduates, there still just aren't enough applicants to make up for the overall workforce shortage. And until that changes, many companies will continue to outsource security operations to consultants—or outsource IT operations in general to cloud providers. Giants like Amazon, Google, Apple, and IBM have the in-house expertise to keep their systems safe, and big security companies can make their specialists available to smaller outfits that may only need their services sporadically. The dearth of skilled employees makes it difficult for established cybersecurity companies to staff up—and all but impossible for more modest organizations. "If you’re in a small or medium-sized business, you must outsource it," ISACA’s Schwartz says. "There’s just no way to build these competencies at this point."