In a 2018-2019 report from ESG, over half of the companies surveyed (53 percent) report a serious shortage of cybersecurity skills in their organization. This skills gap isn’t new – the problem has plagued our industry for years. Why is there such an imbalance between the supply and demand for cybersecurity professionals? Where do we start in addressing the problem?
Jeff Frisk, Director for SANS Institute’s GIAC certification program, confirms that the data trends and indicators show there is a much greater demand than supply of cybersecurity professionals. “Demand for highly-technical cybersecurity practitioners’ remains on the rise,” he said. “The supply vs. demand issue in our industry is interesting given that, in most instances, deep technical skills and live-fire field experience are required to break into common low-level work roles.” So what’s causing the growing divide?
Not only are cybercriminals a threat to an organization’s cyber resilience, their nefarious activities have risen since machines were first linked together and with it, a wider skills gap. Attackers goals have evolved from street cred within the hacker community to a well-organized, concentrated push for financial gain. Their incentive scheme lures more criminals into the game—and we just can’t keep up.
When we digitized our most important information—patents, consumer records, financial data—we added more to cybercriminals’ watch-list. This creates more space to hide and we often don’t have a wide enough lens to monitor an ever-expanding attack surface. To make matters worse, our own complex environments provide many opportunities for criminals to hide, users to go rogue, and auditors to always find something. Our mutating attack surface provides a compound effect—more threats in more places.
Current and aspiring security professionals are often caught in a dilemma: expand their skills within a specific domain or pursue a broad range of many disciplines. Unfortunately, individuals are forced to make the tradeoff, leading to bulges in certain skills and scarcity in others. This distribution and concentration of skill is not always aligned with an organization’s requirements for a particular position.
Cybersecurity job requirements are too-often written like a wish list to Santa Claus; asking for candidates with decades of experience, deep knowledge in myriad disciplines, and a willingness to put in an abundance of hours for a compensation plan that looks like an internship. Cyber crime evolves at lightning speed – just as technology does. Unforeseen forces can exaggerate the skills gap. Instead, managers must learn to be flexible and future-looking when it comes to hiring cybersecurity talent.
Check out our comprehensive Cybersecurity 101 Guide.
Before discussing the proper skillsets required for today’s cybersecurity professional, it’s important to take a step back and explore the notion that attracting those in the 10-17 age group is going to be critical. How are all these open positions going to be filled? A young workforce that comes armed with STEM skills learned in school can go a long way.
Offering an overview of cybersecurity in school, perhaps presented in innovative ways, might be exactly what is needed to pique students’ interests. Students are already fully immersed in the technology in their day-to-day lives, so having them learn (and even master) the underlying cybersecurity engineering behind their apps and devices represents a huge opportunity. Imagine how they could build upon those proficiencies as they either enter post-secondary education or the workforce.
“Clearly, if we ever aim to close the supply/demand gap, starting early needs to happen,” Frisk said. “This, of course, takes time. Even when I look back 10 or 15 years ago, seeing the push for STEM focus in elementary and high school, it seems like we are just getting a foot in the door.”
So how do we attract the younger generation to the industry? Frisk suggests we think about gamification and cyber range activities targeting the high school level. “As an example, SANS CyberStart program has more than 6,500 high school girls playing CyberStart in 2019 across 27 states.”
The skills required for today’s cybersecurity professional changes all the time, and this is certainly a factor towards our supply issues. For would-be cybersecurity professionals, Frisk breaks down what’s in demand.
“This may sound cliché, but having verified, base-line technical skills coupled with the ability to adapt and learn about emergent technologies and threats is paramount,” he said. “The threat environment we face five years from now will be very different than the one we face today. Those with the desire to learn and the ability to adapt will be the best positioned to protect their organizations.”
He points out that those skills that are in increased demand compared with five years ago include: threat hunting, cloud security, cyber threat intelligence, and incident response. Also seeing steady growth are the skills to carry out penetration testing and digital forensics.
If you’re looking for more information on why we are continually faced with a cybersecurity skills gap, check out the latest edition of Cybersecurity Insights video series below and subscribe to our YouTube series.