Addressing the 3 Million Person Cybersecurity Workforce Gap
6.11.2018 securityweek Cyber
The Biggest Problem is Not in Measuring the Accuracy of the Cybersecurity Skills/Workforce Gap, But in Finding a Way to Close It
(ISC)2's Cybersecurity Workforce Study 2018 claims that cybersecurity professionals are focusing on developing new skills as the workforce gap widens. According to the recently released report, that gap now stands at more than 2.9 million workers globally -- with 2.14 million cybersecurity staff required in the Asia-Pacific region, and almost half a million required in North America.
The figures come from what (ISC)2 calls a 'more holistic approach to measuring the gap'. Rather than simply subtracting supply from demand, this new calculation "takes other critical factors into consideration, including the percentage of organizations with open positions and the estimated growth of companies of different sizes."
Whether this makes it any more scientific than other attempts to measure the cybersecurity workforce and skills gap is still questionable. (ISC)2 questioned 1,500 people around the world working on security. It therefore has its own built-in bias -- most people, in any profession, will consider themselves overworked and capable of doing better with an expanded team. The same argument applies to budgetary concerns -- most people would like a bigger budget, regardless of profession.
Despite these concerns, the figures generated (PDF) are interesting. Fifty-nine percent of respondents claim their organization is at extreme or moderate risk due to a cybersecurity staff shortage.
Sixty percent said their budget should be much or at least slight ly higher than it is.
However, regardless of any concerns over any potential biased inflation, nobody doubts that there is a workforce gap, and that most companies should pay at least more attention and possibly more money to cybersecurity. The biggest problem is not in measuring the accuracy of the skills/workforce gap, but in finding a way to close it.
Some experts believe the solution must be found in the education system. There is, says David Emm, principal security researcher at Kaspersky Lab, a "lack of interest in the sector from the future generation. Our education system and the industry itself are not inspiring young people's interests and talent in the field of cybersecurity -- we need to be encouraging people into the industry. It's increasingly important to equip children with cybersecurity skills at an early age to give them an idea of what cyber roles entail, and foster these skills."
Kaspersky Lab has its own interesting figures on the young. Only half (50%) of under-25s say they would join the fight against cybercrime; but 17% would use their skills for fun, 18% would use them for 'secretive activities', and 16% would use them for financial gain.
Other security experts believe that the solution must come from the industry itself. "Filling the skill shortage will require organizations to change their attitude and approach to hiring, training, and participating in collaborative pipeline development efforts," says Steve Durbin, managing director of the Information Security Forum. His view is that the solution must come from within the industry.
"Organizations," he says, "need to establish a series of strategic objectives that lay a foundation for a stronger workforce and more robust pipeline. With clear direction and sustained HR efforts, organizations can formalize the structure of the security workforce, harness the appropriate talent, and bring security teams into better alignment with the organization's security objectives."
Dr. Bret Fund, Founder and CEO at SecureSet, agrees. "Organizations need to build sustainable recruiting practices as well as develop and retain the talent they already have to boost the organization's cyber resilience."
But there is a growing school of thought that suggests that the solution is in reversing the argument. The problem is not so much that we don't have enough bodies for the work required, but that we have too much work for the bodies available. This argument suggests that technology -- or more specifically, AI-enabled automation -- should be used to reduce the workload.
One such proponent is Chris Morales, head of security analytics at Vectra. "A greater use of AI technology can make a considerable contribution to bridging the cyber skills and resource gap that the latest (ISC)2 report identifies," he says. "AI augments the human capabilities to work at a scale and speed manual approaches simply can't touch; and with "lack of time" as a one of the top job concerns being cited from IT and security professionals this would be invaluable."
He is concerned that existing approaches to filling the workforce and skills gap are inefficient. "There is still the assumption," he added, "that certain qualifications such as computing, and mathematics are essential for working in cyber security. In fact, lots of employers still ask for (ISC)2 style certification. Yet, this doesn't need to be the case and is only unnecessarily compounding the problem of a lack of new staff in this area."
This assumption is confirmed in the (ISC)2 report. Among the respondents, the most important qualification for employment (49%) is considered to be 'relevant cybersecurity work experience'. Not far behind (40%) is 'extensive cybersecurity work experience'. Cybersecurity certification is the third most required attribute at 43%, with general purpose proof of aptitude and intelligence ('a cybersecurity or related undergraduate degree') languishing at the bottom of the table with just 20%.
For so long as organizations insist on recruiting only experienced staff with existing security certifications, they're cutting off the supply of potential talent from the education system -- and inevitably compounding the problem. Aptitude should perhaps be the primary recruitment requirement, with extensive 'on the job' training to follow.
(ISC)2 seems to recognize this. The report concludes, "Companies who employ new recruits should explore options available for training them for the job and setting them up for success. They also need to provide more professional development opportunities for the people who already work in cybersecurity -- and allow sufficient time for their staff to pursue them."