The Cybersecurity Skills Shortage

Photo: baranozdemir

There is a massive problem in cybersecurity, and it has been growing for years. This problem is not a malicious program, or a rogue nation-state, or angry hackers, but rather a persistent imbalance in the labor market. Simply put, there are not enough cybersecurity professionals in the United States to meet the increasing need for better cybersecurity among American businesses. The lack of qualified cybersecurity personnel has been a problem for years, and it is proving to be more intractable than one might think.  The problem is intensified as companies become more aware of their own vulnerabilities – especially in light of the high-profile network breaches that occurred throughout 2015.

The demand for cybersecurity professionals far outpaces the available supply. According to Jon Olstik from Enterprise Strategy Group, in 2016 “46% of organizations now claim that they have a problematic shortage of cybersecurity skills representing an 18% year-over-year increase.” This means that cybersecurity teams are often understaffed, which makes it even more difficult for them to properly protect their employer’s networks.

Cybersecurity is a complex and nuanced field, and different organizations require different skills to achieve different goals. As a result, not every cybersecurity professional has, or needs to have, all of the relevant skills that a cybersecurity team could need. However, some skills and experiences are in high demand, but are also harder to acquire than others. Lee Black, Vice President of Cyber Security Consulting for Orbis Operations, says that if companies want to protect themselves effectively from malicious actors, they need to hire “people who have a bit of a malicious mindset, and who have had the opportunity to perfect it” – ideally through working with the U.S. intelligence community. Obviously, that is a very finite pool of people, but the capabilities they provide can help organizations better anticipate how bad actors will approach their networks and enable them to ready to deflect their attacks.

Since even the more easily obtained cybersecurity skill sets are still in extremely short supply, there are several initiatives underway to try and make up for the labor shortage in the cyber field. One option is increasing the ability of machines to protect themselves by automating cybersecurity functions. The Defense Advanced Research Projects Agency is currently running a Cyber Grand Challenge that is meant to do exactly that. The goal of the challenge is to create programs that can identify and fix vulnerabilities in other programs on their own, thus reducing the need for humans to perform that task.

However, automated cybersecurity is still far from being operational on a commercial level, so there are also programs in place to incentivize people towards choosing the cybersecurity field as their career. These programs include the National Initiative for Cybersecurity Education (NICE), which is geared towards improving access to cybersecurity education and job opportunities in order to increase the size of the labor pool from which businesses are hiring.

The shortage of skilled cybersecurity professionals means that most organizations are at greater risk than they would otherwise be. There is a need for better education and talent development initiatives from both the public and the private sector in order to properly address this crucial shortfall. If we learned anything from last year, it is that the necessity of a solid cybersecurity program cannot be understated or denied. 

Luke Penn-Hall is the Cyber and Technology Producer at The Cipher Brief.