Cybersecurity talent investment has gone through the roof in recent years: Universities are announcing cybersecurity degrees programs, Facebook is open sourcing its Capture the Flag competition platform that teaches developers about cybersecurity, Cisco has launched a $10 million scholarship to tackle the cybersecurity talent shortage and more.

Yet, it’s still not enough.

Because by 2022, the global cybersecurity workforce will be short by around 1.8 million people, according to the Global Information Security Workforce Study (GISWS) by The Center for Cyber Safety and Education and facilitated by Frost & Sullivan.

“We are clearly still going in the wrong direction,” notes Wesley Simpson, COO at (ISC)², which released its own report that notes that IT staffers are dramatically underutilized and potentially untapped cybersecurity resources for many organizations struggling with their information security workload. (ISC)² is an international, nonprofit membership association for information executives, with 125,000 members in 170 countries.

More than 3,300 IT professionals participated in the (ISC)² study, which found that almost 50 percent of IT organizations don’t provide adequate resources for IT security training and professional development, and that their ability to defend against cyberattacks has declined in the past year. Although IT professionals are on the frontlines implementing cybersecurity strategies, only 35 percent agreed their security suggestions are followed, while 28 percent said they are asked for advice, but it falls on deaf ears.

The GISWS study echoes that as well: its research found that 87 percent of cybersecurity workers started their careers doing something different, which is a problem for the 94 percent of hiring managers who indicated they were looking for staff with existing experience in the field. So, leadership may not fully understand job requirements, according to the GISWS report.

Considering the evolving nature of the threat landscape, hiring people with all the requisite experience and knowledge is a challenging prospect. Even experienced security pros need constant refreshers because the threat landscape changes rapidly with 400,000 new malware samples released daily. Security knowledge can get stale without continuing education.

“We are not staffing this shortage, we are staying the same; even worsening,” Simpson says. “We don’t have a big army coming over the hill to save us all. So maybe we need to educate the staff that we have and go to battle with that team, instead of looking for a new team.”

Wesley advocates the importance of training and investing in the employees you currently have, for your next cybersecurity team. “We can’t be afraid to look within our own organizations,” Simpson argues. “Because that talent exists.”

How do you begin? “Start with your own IT department,” Simpson says. “IT staff known the day to day security functions, the technology, the business, the processes, the infrastructure and where your data is. Many IT professionals have been doing that their entire career. Just because they don’t have a cyber title doesn’t mean they don’t possess those skills.”

How do you train? “Each enterprise will be different, but the bottom line is that it needs to continually invest in their staff. Send them to training to get the certifications they need. And the biggest thing that we are not seeing is having a conversation with the board and the C-Suite to get the cybersecurity budget added to the P&L,” Simpson notes. “That is not a common practice, so the money is just not there. Every organization needs to be a security company and that mindset needs to be embedded into the enterprise.”

Simpson also likes to dispel the notion that a STEM education or degree is needed for a cyber career. “Cybersecurity is an incredibly diverse career field, and it needs legal, accounting, analysts and businessminded folks who have to mine through data and present it in a logical fashion that is suitable for a board and C-suite audience. And you don’t necessarily need STEM to do that.”

Overall, says Simpson, a long-term investment in cybersecurity training and education is lacking in enterprises, but is certainly advisable if enterprises want to properly protect themselves.