According to recent 2018-2019 report from ESG, over half of the companies surveyed (53 percent) report a serious shortage of cybersecurity skills in their organization. Sadly, it doesn’t look like the skills gap for cybersecurity will improve in the near future. So where do we start in addressing the problem? Why is there such an imbalance between the supply and demand for cybersecurity professionals?
Jeff Frisk, Director for SANS Institute’s GIAC certification program, confirms that the data trends and indicators show there is a much greater demand than supply of cybersecurity professionals. “Demand for highly-technical cybersecurity practitioners’ remains on the rise,” he said. “The supply vs. demand issue in our industry is interesting given that, in most instances, deep technical skills and live-fire field experience are required to break into common low-level work roles.”
And let’s face it, security is difficult to keep up with. Attacks are occurring every day, resources to fight them are getting scare and the goalposts of regulatory standards are constantly changing; it’s no wonder people may be hesitant to enter the field. For SANS Institute though, it generally boils down to a volume problem — given the increasing number of job roles to fill in highly technical positions.
“In some other industries there seems to be a clearer (or cleaner) progression from entry-level through the middle and on to master,” Frisk explained. "Part of this is due to the fast rate of change in the cybersecurity industry…threats evolve so quickly.”
To compound the issue even further, gaining real world experience and building hands-on skills is something that takes time and nurturing. “There is great risk involved with putting a more junior person in a position where they can gain needed skills without setting them up to fail,” said Frisk.
Before discussing the proper skillsets required for today’s cybersecurity professional, it’s important to take a step back and explore the notion that attracting those in the 10-17 age group is going to be critical. How are all these open positions going to be filled? A young workforce that comes armed with cybersecurity skills learned in school can go a long way.
Offering an overview of cybersecurity in school, perhaps presented in innovative ways, might be exactly what is needed to pique students’ interests. Students are already fully immersed in the technology in their day-to-day lives, so having them learn (and even master) the underlying cybersecurity engineering behind their apps and devices represents a huge opportunity. Imagine how they could build upon those proficiencies as they either enter post-secondary education or the workforce.
Read about how to protect your data while empowering your workforce.
“Clearly, if we ever aim to close the supply/demand gap, starting early needs to happen,” Frisk said. “This, of course, takes time. Even when I look back 10 or 15 years ago, seeing the push for STEM focus in elementary and high school, it seems like we are just getting a foot in the door.”
So how do we attract the younger generation to the industry? Frisk suggests we think about gamification and cyber range activities targeting the high school level. “As an example, SANS CyberStart program has more than 6,500 high school girls playing CyberStart in 2019 across 27 states.
The skills required for today’s cybersecurity professional changes all the time, and this is certainly a factor towards our supply issues. For would-be cybersecurity professionals, Frisk breaks down what’s in demand.
“This may sound cliché, but having verified base-line technical skills coupled with the ability to adapt and learn about emergent technologies and threats is paramount,” he said. “The threat environment we face five years from now will be very different than the one we face today. Those with the desire to learn and the ability to adapt will be the best positioned to protect their organizations.”
He points out that those skills that are in increased demand compared with five years ago include: threat hunting, cloud security, cyber threat intelligence, and incident response. Also seeing steady growth are the skills to carry out penetration testing and digital forensics.
One final variable that needs to be addressed in the skills gap conversation is the potential that AI brings to the table. When a good portion of what the cybersecurity professional does may involve repetitive tasks, we can’t overlook how AI can have in minimizing those tedious tasks that take time away from the important work.
Time will tell if AI may help, but it’s probably too soon. For now, as demand continues to skyrocket, there is no reason to think it won’t continue well beyond 2020. “I see demand continuing to skyrocket until mid-level security professionals are more successful in stopping cyber intrusions,” Frisk said. “Unfortunately, it doesn't seem like much ground is being gained by the good guys at this point, so the only place for demand to go is up.”
While the industry strives to find new ways to fill the cybersecurity skills gap, organizations are combating the challenge by maximizing their existing resources. Find out how minimizing IT complexity increases the effectiveness of your security posture and reduces the burden on your IT team. Download the 2019 Endpoint Security Trends Report.