Cyber-threats and data breaches are growing in number and severity, botnets are enlisting new conscripts at a chaotic pace, cryptoransomware attacks are raking in millions for malicious hackers… and we are hard-pressed and ill-prepared to face the challenges that lie ahead. The widening gap of cybersecurity talent is at the heart of this crisis. There’s currently a 1 million shortage of skilled workers in the cybersecurity sector. According to (ISC)2, that number will rise to 1.5 million by 2020 – Cisco’s Annual Security Report says we’ll reach the 1.5 million threshold by 2019. A study led by ISACA shows that most organizations are having trouble find cybersecurity talent to fill their IT security vacancies.
An argument that helps in understanding the cybersecurity talent gap is offered by Ira Winkler, President of Secure Mentem, in a ComputerWorld op-ed. In the article, Winkler rightly argues that the shortage of cybersecurity talent is rooted in the fact that companies and agencies are looking in the wrong places. Winkler proposes that instead of perceiving security as a standalone discipline, it should be considered as a discipline within the computer field.
Most companies require hard-to-obtain certifications for their security posts. In the U.S. alone there are currently around 50,000 jobs that require CISSP-certified professionals, but the actual number of people who can fill those posts are not even near that number. However, many prominent security professionals have entered the field without a cybersecurity degree or any security-specific training, because they had already acquired the needed basis through their practice of other disciplines such as programming or network administration.
And fact of the matter is that most security incidents and cyber-attacks do not take place through highly sophisticated methods, but are rather as a result of badly implemented security policies within organizations or the general lack of awareness among employees which lead to different forms of social engineering attacks such as phishing and the distribution of malware. Remedying this situation does not require too much domain-specific knowledge. Organizations and firms only need to look for cybersecurity talent among the more experienced members of their staff.
Different initiatives and programs, sponsored by government agencies and the private sector, have been launched to help deal with the security talent shortage problems. Some of them involve using gaming concepts and competition to find cybersecurity talent among professionals in other IT and programming sectors, and to attract the young, tech-savvy masses into considering this as a career by informing them about the industry’s dire need and the rewarding job opportunities that are available in the domain. Examples of cybersecurity competition include UK’s Cyber Security Challenge, and CyberPatriot in the U.S.
Another approach that is worth mentioning is efforts being made to raise awareness at the average employee and executive levels about cybersecurity issues. Human errors account for a huge number of security incidents, and organizations should try to improve security by making turning their employees in their biggest security assets. Some of the nice trends we’re seeing in this area is again the use of gaming concepts, such as PwC’s Game of Threats, which allows senior executives and board members deal with real-world cybersecurity situations from a higher perspective in a game. Data Guardian has also come up with a nice gaming concept, called Data Defender, which actually turns cybersecurity measures and practices into a game which rewards employees for their good behavior and penalizes them for policy breaches.
Bug bounty programs might also help in both finding cybersecurity talents and preventing discovered security holes from being put to malicious use. Tech firms have been using this type of approach for years, and more recently the Pentagon announced its own bug bounty program, inviting white hat hackers to find security gaps in its networks and reap the rewards.
And finally, the improvement of AI and advances in machine learning technologies might help somewhat in dealing with security threats and filling the cybersecurity talent gap. We’re still not quite there, but we’re getting close. Though I do admit that I’m reluctant to see humans giving up their jobs to robots.
The cybersecurity talent shortage is real and serious, and we need to think about it and deal with it today. Tomorrow might be too late.