This year has been one of significant growth for the cybersecurity industry. According to the 2022 (ICS)2 Cybersecurity Workforce Study, the cyber workforce reached an all-time high of 4.7 million workers and added 464,000 new workers globally.
Despite this, there is still a widely perceived talent shortage in the cybersecurity industry, both domestically and internationally, and companies feel like they can’t fill the positions they need.
But what is causing this “shortage,” and what can be done to mitigate it? To best answer this question, it would help first to contextualize the perceived problem and what is causing it before we then address some potential solutions.
The causes of the talent shortage
The increase in demand for cybersecurity workers has a two-pronged cause. Part of it is that there has certainly been an increase in cybersecurity threats in recent years, and 2022 was no exception. The other part of it is that consumers as a whole are valuing privacy and security much more than in prior years, and so robust cybersecurity features are increasingly becoming a marketable trait. It’s certainly possible that consumers are valuing security more precisely because of the increase in cybersecurity threats, but broadly speaking, these are the two patterns that underlie the growing demand for more cybersecurity talent.
And so, while part of the perceived shortage may be a result of this objective surge in demand for cybersecurity, part of it may also result from outdated or limited modes of thinking. The industry has grown tremendously to the point where there are now many branches of specialties within the overarching umbrella of cybersecurity, and no single individual can realistically be an expert in all of them, given how fast information moves and changes.
A helpful analogy to use is the field of medicine. By sheer necessity, there are many specialties within medicine, and you have to hire physicians and medical personnel who are trained for those specialties. Similarly, if you try to find cybersecurity professionals who can do everything, you will naturally perceive a shortage as the field has become too complex and fragmented to realistically find experts that are jacks of all trades within the field of cybersecurity. The problem is less an objective lack of talent out there and more an obsolete set of expectations and hiring practices that could benefit from some updating.
Another potential cause may have to do with the relative scarcity of the most prized skill in cybersecurity. The best kind of cybersecurity work requires a certain ability to think outside the box and foresee problems that don’t even exist yet. Individuals with this gift are the most talented, skillful cybersecurity professionals, yet there really isn’t a reliable formula for transmitting such an ability at scale. You can teach people hard skills, and you can teach them tools and procedures, but teaching that kind of foresight and creative ability is more of an art and less of a clear-cut affair.
While this may not be a primary reason for a perceived talent gap, one of the contributing factors may be that organizations understandably want to hire professionals that can accurately project future threats and prevent all breaches from occurring. When put in those terms, it is easy to understand how truly difficult that skill set is to come by.
Divvying up the responsibilities
Generally speaking, cybersecurity problems lie on a spectrum between problems that can be addressed by the book by any competently trained professional or team using established technologies and procedures and problems that require specialized cybersecurity expertise. Sounil Yu’s Cyber Defense Matrix has been well-accepted for some time now. Organizations could greatly benefit by having built-in ways to identify where problems belong on this spectrum and identify potential solutions in advance of a security event. Once a new event is identified, a ticket can then be created for an in-house professional to solve it using established procedures, or it can be earmarked for the attention of a specialist.
Fortunately, even for problems requiring specialization, there are numerous options for how to go about it. One way for companies with the available resources, would be to hire in-house specialists. Another way would be to outsource the work since having onsite specialists may not be a feasible option for some. A third way can be tapping into the power of community by crowdsourcing. A single individual, or even several of them, may not have the ability to hack a particular solution, but if you’re able to tap into a community of, say, 30 individuals, one or more of them just might have the right skill set.
Employing some combination of these methods — hiring in-house specialists, outsourcing, and crowdsourcing — may actually be the way that an increasing number of organizations choose to go depending on their specific needs and resources.
Other solutions for filling the gap
Aside from properly identifying the level of specialization required for a problem, as well as tapping into the power of crowdsourcing, there are some other ways to further alleviate the perceived talent shortage.
The field of cybersecurity has gone through an interesting and somewhat ironic evolution in that in its earlier phases; there was a strong culture of DIY and a pervasive belief that it didn’t matter what your background or education level was so long as you could hack. Many in the community even actively identified themselves as outcasts or iconoclasts. However, over the years, as cybersecurity has become increasingly adopted by the enterprise, the field has necessarily become more industrial and standardized, and the pathways toward a career in cybersecurity have become more clearly defined: going to university, getting a degree, and getting the right certifications.
In many ways, standardization is a good thing, but in the process, new barriers can get erected which were not there previously, potentially limiting the kind of diversity that would only strengthen the field. One thing that universities and organizations can, therefore, do is to continually think about how they can maintain standards and procedures while being cautious of not creating new barriers. Fortunately, the field as a whole seems to be noticing and working to address this.
Another solution can lie in colleges and universities possibly rethinking their roles and upgrading their programs as deemed necessary. A good way to do this would be to continue to improve the lines of communication between universities and the very companies that are perceiving a shortage of talent. Universities can work to understand how they can better train students to meet organizations’ needs.
Conversely, how can they also educate companies to have more realistic standards about the range of cybersecurity issues that a cybersecurity generalist can reasonably be expected to solve? Cybersecurity programs could also prioritize the kind of soft skills that make truly gifted cybersecurity professionals, such as the aforementioned ability to foresee problems that don’t exist yet. All the technical knowledge and skills in the world can only do so much good if a student can’t learn to adapt to new technologies and circumstances with the ability to interpret the world through the mindset of a hacker.
Finally, apprenticeships are another way that universities and companies could work together to provide alternative career pathways that remove some of the barriers preventing more people from entering cybersecurity, as this, too, could help address the talent shortage. Crowdsourcing, once again, can also serve as an alternative pathway because whereas apprenticeships require a formal application process, with crowdsourcing, anyone can just immediately start doing it, build experience, gain exposure, and even get paid in the process via bounties.
The cybersecurity field is growing and evolving at breakneck speed. Regulations, technology and the threat landscape all of these are expanding exponentially. Expecting one person to be able to do everything — the way one might expect a plumber to be able to address every plumbing problem — inevitably limits the perceived pool of capable professionals. On a more objective level, having too many barriers to breaking into the field does the same. Both higher education institutions and companies can implement some of the aforementioned adjustments in order to play key roles in helping make the talent gap a thing of the past.