The Cybersecurity Talent Gap = an Industry Crisis

April 30, 2019

A war is raging for cybersecurity talent.

Both the government and the private sector are scrambling for talent. Thousands of information-security jobs are going unfilled as the industry in the U.S. struggles with a shortage of properly trained professionals. By one estimate, there will be 3.5 million unfilled cybersecurity jobs by 2021.

The talent problem is not new. The problem has become highlighted in the last five to 10 years with the increase in cyberattacks. Not only have cyberattacks grown in frequency and intensity, but also cybersecurity has risen to become a board-level issue. After the Target 2013 attack, boards and executives realized cybersecurity was a business issue and some started putting more money behind it. The aftermath is that everyone is hiring, all at the same time.

I’ve witnessed these problems first-hand for years at nearly every company I’ve worked for, be they small, medium or large. Size doesn’t matter.

What has caused this rise in cyberattacks? I believe there are a few variables. The first being the “connectedness” of everything — cars, refrigerators, TVs, etc. Then there’s the monetary incentive for attacks – healthcare records, for example, sell for almost $150 per record. Add to that poor coding of products that leave them vulnerable to cyberattacks. Finally, the shortage of skilled and experienced security practitioners’ forces companies to use less skilled and experienced IT personnel to try and protect sensitive data and intellectual property.

Lack of Cybersecurity Talent is a Systemic Issue

The fundamental problem facing the skills gap, however, is there aren’t enough people coming into the field to begin with. In my view it starts and ends with education. Not enough interest is being generated at the middle-school and high school levels in STEM. This leads to less graduates in technical disciplines, and less graduates in PhD level technical disciplines. Cybersecurity should have been a Bachelor of Science degree 15 years ago. Today we’re seeing this in some universities, but it’s not enough.

These are all systemic issues needing systemic answers that could take years to resolve. Still, these shortage problems need to be addressed and they won’t be until we change how cybersecurity experts are hired, retained and educated.

So now, we’re faced with a set of problems:

Lack of qualified staff. Finding skilled security engineers takes way too long. One report says it takes up to six months to find security engineers.
Using under skilled practitioners. When companies can’t find qualified cybersecurity personnel, they’re forced to use their existing IT/Network teams. These teams generally don’t have a “security first” mindset – they have an “availability first” mindset. Uptime is usually prioritized over security.
Security tool sprawl. With the average enterprise using 45+ security-specific tools to protect data and intellectual property, understaffed security teams are forced to manage tool sets they don’t know or understand.

Real Challenges, Worrisome Implications

Cybersecurity talent is hard to recruit and retain for every company, but it’s tougher for some over others. Take one of our prospective clients. He’s located in a small town in the middle of the Southeast, and he’s really struggling to find talent. So, their small staff is very overworked.

The implications for business resilience are worrisome.

Security positions are going unfilled for months. Unfilled positions lead to negative impact across the board: on productivity, customer service, security, innovation, speed to market and profitability.
Tools are not being used effectively. Support teams (usually not security teams) are installing, managing and monitoring security tools without the background to make them effective.
Security oversight is lacking. Projects and products are being deployed without security oversight leading to potential risks for their companies.
Falling behind in cybersecurity training. Companies say they are falling behind in providing an adequate level of cybersecurity training.

What’s more, the lack of skilled cybersecurity personnel is doing more than putting companies at risk; it’s affecting the job satisfaction of existing staff. This is a dangerous side effect that affects morale.

What will the Next Few Years Bring?

Cybersecurity is obviously a job sector of the future. That’s the good news. It’s also the bad news.

The main reason it’s a job of the future is because the security risks of a connected world keep expanding and evolving. Hackers and bad actors will continue to go after our data and intellectual property. Without the right people (skilled and experienced) and right tools, this problem will continue to grow.

As you might imagine, we’re fighting the war for cybersecurity talent every day.

Dave Barton is Chief Information Security Officer, Stellar Cyber. With over 20 years of security experience, he has served as CISO across several industries including telecommunications, healthcare, software development, finance and government.

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.