Industry data regarding the cybersecurity skills shortage continues to paint a disturbing picture. For example:
- Job market analytics vendor Burning Glass states that cybersecurity job postings grew 74% from 2007 to 2013, more than twice the growth rate of all IT jobs.
- Prospective employers posted more than 50 thousand jobs requesting Certified Information Systems Security Professional (CISSP) certification. Unfortunately, there are only about 65 thousand CISSPs in the world, and many are gainfully employed.
- ISC2, the organization that certifies CISSPs believes that there will be a deficit of 1.5 million cybersecurity professionals by 2020. The UK House of Lords is even more bearish, predicting a shortage of two million cybersecurity professionals by 2017.
While the cybersecurity skills shortage has long been recognized as a problem, few people seem to realize that the situation is getting much worse on an annual basis. Want proof? As part of its annual research on IT trends, Enterprise Strategy Group (ESG) asks IT and cybersecurity professionals to identify areas where there organizations have a “problematic shortage” of IT skills. For the past four years, information security/cybersecurity represented the area with the highest level of overall skills shortages. In 2015, 28% of organizations claimed to have a problematic shortage of cybersecurity skills.
While ESG expected the cybersecurity skills shortage to remain at the top of the list in 2016, this year’s results were especially distressing – 46% of organizations now claim that they have a problematic shortage of cybersecurity skills representing an 18% year-over-year increase. This is an especially alarming upsurge given more modest increases in the past.
FIGURE 1. Percentage or organizations with a “problematic shortage” of cybersecurity skills by year
Are cybersecurity skills shortages in any particular area? To some extent. As the ESG data illustrates (see Figure 2), one-third of organizations say that their biggest cybersecurity skills need is for cloud security specialists. This shouldn’t be particularly surprising since many government and commercial organizations are aggressively moving workloads to public and private clouds and need to find information security personnel who know how to protect and monitor this activity. Beyond cloud however, ESG is troubled by many of other needs such as network security specialists (28%), security analysts (27%), and data security specialists (26%). These are standard cybersecurity skills by any measure, indicating that many organizations remain understaffed and under-skilled in core areas of cybersecurity.
The data clearly indicates that many organizations are forced to protect sensitive digital assets with a cybersecurity team that is often understaffed and lacking the right skill sets. And given today’s increasing cybersecurity demands, it is also safe to assume that these infosec departments are completely overwhelmed by the sheer volume of their daily workloads.
ESG (and others) have been calling attention to the cybersecurity skills shortage for a number of years, but the data presented in this brief indicates that the situation continues to degrade. This point is further evidenced by the fact that 87% of survey respondents claim that it is very difficult, difficult, or somewhat difficult to recruit and hire cybersecurity professionals (see Figure 3). This is consistent with anecdotal stories where CISOs claim that open requisitions go unfilled for months while the cybersecurity staff remains buried. It is worth noting that this situation is especially acute in the public sector where federal, state, and local governments struggle to complete for talent against private sector organizations with aggressive HR recruiting and higher salary cybersecurity jobs.
The U.S. federal government recognizes the cybersecurity skills shortage and has a multitude of programs to help address these growing gaps. In 2010, the White House announced the National Initiative for Cybersecurity Education (NICE), which built upon the Comprehensive National Cybersecurity Initiative (CNCI). It has three main goals: accelerating skills and learning development, nurturing a diverse learning community, and guiding career development and workforce planning. The National Science Foundation provides funding for cybersecurity research and education, recently committing $74.5 million to support interdisciplinary cybersecurity research, including 237 projects in 37 states. The NSA’s information assurance program includes the National IA Education and Training Programs (NIETP), which offers scholarships for students pursuing cybersecurity education.
President Obama has also proposed a few additional cybersecurity education steps as part of the recent Cybersecurity National Action Plan (CNAP). With CNAP, the President’s budget invests $62 million to expand Scholarship for Service by establishing a CyberCorps Reserve program, developing a cybersecurity Core Curriculum, and strengthening the National Centers for Academic Excellence in Cybersecurity Program. The President’s budget also proposes student loan forgiveness programs for cybersecurity experts joining the Federal workforce and invests in cybersecurity education as part of a computer science curriculums through the President’s Computer Science for All Initiative.
While these programs have altruistic goals, ESG research and other industry data clearly indicates that current efforts to bridge the cybersecurity skills gap are inadequate. Since U.S.-based organizations continue to address growing cybersecurity risks with insufficient skills and staff levels, the cybersecurity skills shortage has become a national security issue that puts all citizens at risk.
In spite of technical innovation, cybersecurity remains anchored by people and processes. Given this fundamental reality, addressing the growing cybersecurity skills shortage must be a high-priority issue for President Obama. Rather than piecemeal agency-based programs and pork barrel funding, bridging the cybersecurity skills gap demands a national strategy. In lieu of this type of comprehensive approach, we shouldn’t be surprised by a continuing tsunami of cybercrime, state-sponsored espionage, and the massive theft of personal information and intellectual property.
