A global cybersecurity talent crisis is threatening both the public and private sectors, a new report released on Wednesday has found, leaving businesses and countries more vulnerable to attackers.
The new study, “Hacking the Skills Shortage” by Intel Security and CSIS, surveyed eight countries — Australia, France, Germany, Israel, Japan, Mexico, the United Kingdom, and the United States — and reveals there is a widespread shortfall in the cybersecurity workforce. A whopping 82 percent of IT professionals said there is a shortage of cybersecurity skills, and 71 percent said the talent shortfall “does direct and measurable damage” to their organization’s security networks.
There is also a deep concern among cybersecurity professionals that governments are not investing enough to boost cybersecurity talent, with more than three-fourths — or 76 percent — saying their government is not doing enough. “People want governments to do more to create the talent pool, and that was universal,” James Lewis, a senior vice president and director of the Strategic Technologies Program at CSIS, said.
The same percentage also called for better laws and regulations on the books, with the report stating that “there is a public demand for political leaders to improve cybersecurity legislation.”
“Countries can change this shortfall in critical cybersecurity skills by increasing government expenditure on education, promoting gaming and technology exercises, and pushing for more cybersecurity programs in higher education,” the report reads.
One surprising finding, according to Lewis, was that respondents overwhelmingly said there were better ways than a traditional degree to acquire cybersecurity skills.
“Certifications, hands-on experience, gaming — that’s what makes a good cybersecurity worker,” Lewis said.
Another aspect that Lewis said he was not expecting from the survey was that the majority of respondents said they felt their companies had been damaged by a lack of cybersecurity talent, including the loss of proprietary data and intellectual property.
The report is especially timely given the spotlight on cybersecurity due to the hack involving the Democratic National Committee (DNC). Lewis said incidents such as the DNC hack are “a tactic we haven’t learned how to protect ourselves from, and it’s something we really need to think about.”
“The way to push back may not necessarily involve the military, it may involve law enforcement or sanctions, but either way it’s something we’re not prepared for,” Lewis said. “For the government, until you can get more cybersecurity people available, we’re just going to be an easy target for hacks like at the DNC.”
Candace Worley, senior vice president of the Enterprise Solutions Marketing group at Intel Security, said the survey was conducted in response to the “buzz in the market” about the impending cybersecurity workforce shortage. While a little bit of work had been done in the area, it was “more speculation and anecdotal than it had been hard research,” she said.
“We really wanted to look at this from a global perspective,” Worley said. “Is there a talent shortage or not? Pretty universally, people think that there is.”
It is estimated that in 2015, about 209,000 cybersecurity jobs went unfilled in the United States, the study pointed out.
The most desirable skills for cybersecurity professionals were a fairly small set, and the same three were cited by those in all eight countries, she noted — intrusion detection, secure software development, and attack migration.
“Those skillsets are hard to train someone on in a classroom,” she said. “Those are often learned, based on experience.”
The survey points to the need to both focus on building talent and on automating some of the more mundane cybersecurity tasks to address the capacity gap, Worley said.
“Throwing more gray matter at this problem — just having the idea, ‘I’ll hire more people to solve this problem’ — is a losing proposition,” she said. “The people who are in this world, hacking and using malware, do this like a business. It is an organized business. Thinking we’re going to solve the capacity problem by just hiring more people and training them up, it can’t happen fast enough.”
“It has to be a combination of automate where you can – evaluate your security program, ID those parts of the process that could be automated with minimal risk, and secondarily, look at your talent pool … and move your super smart people off automated, rote stuff, and into where you incur the greatest cyber risk,” Worley added.
Top cybersecurity experts recently told The Cipher Brief that focusing on talent is one of the key ways government can boost its cybersecurity posture. And there have been increased efforts on the federal level in the last few months to try to tackle the cybersecurity workforce shortfall.
In June, the Department of Homeland Security launched a pilot project to place employees into private sector companies for training stints of up to six months. Meanwhile, this month, the White House announced measures to try to combat the cybersecurity workforce shortfall with its first-ever Federal Cybersecurity Workforce Strategy to help recruit, retain, and develop talent. And on Tuesday, President Barack Obama approved a directive to coordinate policy on the federal government’s response to major cyber incidents.
To tackle the crisis across the board, the new report recommends that those hiring cybersecurity workers need to redefine the minimum credentials for entry-level jobs, and accept professional certifications and hands-on experience as evidence of suitable skills. Employers also need to boost the diversity of the talent pool, provide more opportunities for continued learning outside the workplace, and look to automate cybersecurity functions.
The Intel Security and CSIS survey was conducted by an independent technology market research specialist. Interviews took place in May 2016. Interviewees came from both the public and private sectors and from organizations with at least 500 employees, and consisted of IT decision makers involved in cybersecurity. The survey was also based on open-source data and interviews with experts.