Security Skills Gap

Security Skills Gap

Studies reveal dearth of cybersecurity talent is creating measurable damage.

Security incidents are increasing in sophistication and frequency, yet industry studies find that an alarming shortage of cybersecurity talent is resulting in direct and measurable damage to companies worldwide. Worse yet, most organizations say they don’t believe the skills gap can be closed in the near term.

A study from Intel Security and the Center for Strategic and International Studies (CSIS) finds that 82 percent of survey respondents admit to a shortage of cybersecurity skills, with 71 percent citing this shortage as responsible for damage to organizations by making them more desirable hacking targets.

“A shortage of people with cybersecurity skills results in direct damage to companies, including the loss of proprietary data and IP (intellectual property),” said James A. Lewis, senior vice president and director of the Strategic Technologies Program at CSIS. “This is a global problem; a majority of respondents in all countries surveyed could link their workforce shortage to damage to their organization.”

Another study by ISACA and RSA Conference finds that 75 percent of security professionals lack confidence in their team’s ability to handle anything more than the most basic security incidents. In addition, 59 percent say that fewer than half of their cybersecurity job candidates could be considered “qualified upon hire.”

“The lack of confidence in current cybersecurity skill levels shows that conventional approaches to training are lacking,” said Ron Hale, Chief Knowledge Officer of ISACA. “Hands-on, skills-based training is critical to closing the cybersecurity skills gap and effectively developing a strong cyber workforce.”

In 2015, 209,000 cybersecurity jobs went unfilled in the U.S. alone, and there are no signs of this workforce shortage abating in the near-term. The Intel / CSIS report estimates an average of 15 percent of cybersecurity positions will go unfilled by 2020.

This shortage is building in an environment where 74 percent of the ISACA respondents say they expect a cyberattack this year and 30 percent say they experience phishing attacks every day. More than half also say they expect attack surfaces to expand and exacerbate risk with the increase in cloud, mobile computing and the Internet of Things, as well as advanced targeted cyberattacks and cyberterrorism across the globe.

The demand for cybersecurity professionals is outpacing the supply of qualified workers, with highly technical skills the most in need across all countries surveyed. In fact, skills such as intrusion detection, secure software development and attack mitigation were found to be far more valued than softer skills such as collaboration, leadership and effective communication.

The Intel / CSIS report identifies the following recommendations for addressing the cybersecurity talent shortage:

Increase Cybersecurity Spending: Unsurprisingly, countries and industry sectors that spend more on cybersecurity are better placed to deal with the workforce shortage. The banking industry has been particularly active in increasing cybersecurity spending, reflecting its prominence as a target. Finance consumes more cybersecurity products and services than any other private sector industry, and thus could help drive best practices for training and hiring cybersecurity talent.

Redefine Education and Training Requirements: About half the companies surveyed prefer a bachelor’s degree in a relevant technical subject as a minimum requirement for hiring, but only 23 percent of respondents say education programs are preparing students to enter the industry. Nontraditional methods of practical learning, such as hands-on training, gaming and technology exercises, and hackathons, may be a more effective way to acquire and grow cybersecurity skills. More than half of respondents believe that the cybersecurity skills shortage is worse than talent deficits in other IT professions, placing an emphasis on continuous education and training opportunities.

Diversify the Workforce: Industry studies show that women and minorities are underrepresented in the cybersecurity field. Workforce enhancement efforts should aim to create a broader pool of cybersecurity talent. Another barrier to expanding the cybersecurity workforce is a stigma that lingers with job candidates who have a history of hacking. Employers should develop a more flexible attitude toward hiring people who have hacked.

Improve Incentives: While salary is unsurprisingly the top motivating factor in recruitment, other incentives are important in recruiting and retaining top talent, such as training, growth opportunities and reputation of the employer’s IT department. Almost half of respondents cite lack of training or qualification sponsorship as common reasons for talent departure.

Encourage Government Action: More than three-quarters (76 percent) of respondents say their governments are not investing enough in building cybersecurity talent. This shortage has become a prominent political issue as heads of state in the U.S., U.K., Israel and Australia have called for increased support for the cybersecurity workforce in the last year.

“The security industry has talked at length about how to address the storm of hacks and breaches, but government and the private sector haven’t brought enough urgency to solving the cybersecurity talent shortage,” said Chris Young, senior vice president and general manager of Intel Security Group. “To address this workforce crisis, we need to foster new education models, accelerate the availability of training opportunities, and we need to deliver deeper automation so that talent is put to its best use on the front line.”


Just released our free eBook, 20 Signs That Your Business is Ready for Managed ServicesDownload
+