We are reaching a new critical shortage in the workforce. In addition to the health care sector’s impending lack of qualified nurses (and enough teachers to educate new ones) industry experts are sounding a similar alarm for cybersecurity experts.
Since the massive breach at Target in 2013, many other organizations have fallen prey to cybercriminals. The next year saw hacks into UPS, Goodwill, JP Morgan Chase, Sony, and others. Forrester Research predicted that 60% of brands would experience a breach of sensitive data in 2015. That estimate may have been conservative considering that last year, those organizations successfully targeted by cyberhackers included the FBI, Trump’s hotel chain, Experian, and Scottrade, among others.
The cost dings both the bottom line and organizational reputation. A Ponemon study of 350 companies in 11 countries found that the average consolidated total cost of a data breach is $3.8 million, a 23% increase since 2013.
No wonder Bureau of Labor Statistics data indicates that demand for cybersecurity jobs is expected to grow by 53% over the next two years.
A new study released today by Intel Security with the Center for Strategic and International Studies (CSIS) takes a closer look at the cybersecurity workforce shortage across eight countries including Australia, France, Germany, Israel, Japan, Mexico, the U.K., and the U.S.
Overall, it confirmed that the talent shortage was very real and widespread. The CSIS study revealed that 82% of participants report a shortage of cybersecurity skills in their organizations. One in four confirmed that their organizations were victims of cyber thefts of proprietary data due to this lack of qualified workers.
The researchers reviewed open-source data, targeted interviews with experts, and a survey of 775 IT decision makers in both public and private sector organizations in eight countries. The analysts also looked at four dimensions of each respondent’s cybersecurity workforce development efforts: total cybersecurity spending, education programs, employer dynamics, and public policies.
Among the key takeaways, the respondents in all eight countries agreed that highly technical skills are most in demand. The top three most cited include:
- intrusion detection
- secure software development
- attack mitigation
"These skills were in greater demand than softer skills, such as the ability to collaborate, manage a team, or communicate effectively," the report’s authors write. This goes counter to which skills most hiring managers thought were lacking in college graduates in 2016. Fifty-three percent of respondents also remark that the cybersecurity talent shortage is somewhat or far worse than in other IT professions, including the industry’s "sexiest" job: data scientist.
Unlike the data scientists working today who earned a PhD, the CSIS report found that academic degrees may be a minimal prerequisite for cybersecurity positions. That’s likely due to the fact that only 23% of respondents say education programs are actually preparing students to enter the industry.
Seventy percent of respondents in the U.S. say they’d prefer a candidate to have a bachelor’s degree in a related technical discipline. But only 23% said that universities and vocational schools are "fully preparing" students to do these jobs.
"A bachelor’s degree in a technical field is ranked third by survey respondents among most effective ways to acquire cybersecurity skills, behind hands-on experience and professional certifications," the authors write. "This contradiction indicates that a degree is more of a signal of general competence than an indicator of directly relevant cybersecurity skills." Indeed, the majority of decision makers surveyed believe that hands-on experiential learning is the best training for these jobs.
More than three-fourths of survey respondents cite professional certifications as an effective way to demonstrate skills. More than three in five respondents say that national hacking competitions are the best way to gain and develop skills.
According to the study, the U.S. and U.K. are currently investing the most in cybersecurity education, while Mexico, France, and Japan are investing the least. Fast Company recently reported that in the U.S. industry groups and universities are starting to offer hands-on training to cope with the skills shortage. Norwich University in Vermont, for example, is offering both graduate level coursework as well as certificate programs. Offensive Security skips the written exams to focus on hands-on work for its certification program.
The CSIS report estimates that total global cybersecurity spending will be more than $100 billion over the next four to five years. Among those investing the most are the U.S. government and the financial services industry.
The study’s authors note that these major investments will help drive best practices for training and recruiting skilled workers.
Salary is tantamount to attracting the best talent. According to the report, more than half of industry decision makers agreed that a competitive salary is necessary to attract candidates and 60% believed good salaries contribute to better retention. Salary was ranked higher than other factors including potential to be promoted, organizational reputation, and, training.
As the industry catches up with education programs, employers are finding it necessary to provide on-the-job training. But that also helps with retention. Nearly 50% of survey participants say that lack of training or sponsorship for certification programs are common reasons for employees leaving a company. That’s because the cost to take outside training or required testing for certification is often too high for the employee to pay for alone.
In the meantime companies are filling the talent gaps through technology and outsourcing certain security functions, such as risk assessment and mitigation, network monitoring and access management, and repair of compromised systems. More than 60% of survey respondents outsource at least some aspect of their cybersecurity workload.
Rather than worry that cybersecurity experts will be replaced by robots before they even complete training, the report’s authors recommend that the cybersecurity workforce adapt its skills. They write: "While automation will never fully replace human judgment, it does create efficiencies which allow cybersecurity professionals to focus their time and talent on the more advanced threats that require human intervention."