Cybersecurity Suffers from Talent Shortage
Could there be a better time to pursue a career in cybersecurity? Probably not.
Recent studies have revealed that there's a serious shortage of talent to fill cybersecurity positions around the world.
For example, the Leviathan Security Group reported this staggering observation in February:
"With more than one million cybersecurity positions unfilled worldwide, currently-identified security needs couldn't be met if every employee at GM, Costco, Home Depot, Delta and Procter & Gamble became security experts tomorrow," reported the Leviathan Security Group in February.
That's a sobering number when you consider the threatening environment facing organizations. In a survey of 649 cybersecurity professionals and IT managers released this month by the Information Systems Audit and Control Association (ISACA), a global professional association, and the RSA Conference, more than three quarters of them (77 percent) said they'd seen an increase in attacks in 2014. What's more, 82 percent said they expected to be attacked in 2015.
Worse yet, while organizations are coping with more threats, the report noted they're being forced to do it with a very shallow talent pool. Of the pros polled, only 16 percent felt at least half of their applicants are qualified. More than half the respondents (53 percent) said it can take as long as six months to find a qualified candidate — if they can find a qualified candidate at all. Meanwhile, more than a third of those polled said they have job openings they cannot fill.
“The State of Cybersecurity study reveals a high-risk environment that is being made worse by the lack of skilled talent," Robert E. Stroud, international president of ISACA and vice president of strategy and innovation at CA Technologies, said in a statement.
John N. Stewart, senior vice president and chief security and trust officer at Cisco, says the dearth of skilled talent isn't one that's going to be filled overnight.
"It will take years to close this talent gap," he said, "and that's only if we devote significant resources and attention to educating future workers and up-skilling current workers."
Even if universities were pumping out graduates with a desire for a career in cybersecurity at a brisk pace — and they're not — it would take time for green talent to grow into their jobs.
"The people coming out of school are all book learning and no experience," said James Arlen, director of risk and advisory services at Leviathan and one of the authors of the scarcity report.
"That lack of experience isn't something you can't smooth over by reading the right textbook," he continued, "because the industry is moving so fast that by the time a textbook is written, it's out of date. It's already garbage."
Rebecca Lawson, senior director of product marketing at Juniper Networks added that a college degree is a great way to start, but students ultimately need experience to prepare for a career in security.
"Learning about computer science more broadly and absorbing all you can about the field before specializing in specific parts of infosec is critical," she said. "It will allow the next generation of computer scientists to obtain a well-rounded background with the ability to grow and master new areas of security as the industry continues to evolve."
Security experts said there are a number of things undergraduates can do to improve their marketability after they obtain their degree. "You need to be a voracious consumer of information," Arlen said. "Some of the best documentation in the field is in conversations on Twitter and blog posts."
When attending conferences and forums, Arlen recommended students take the "hallway track." He explained: "It's one thing to sit in a room and listen to a talk and something else entirely to run into a speaker in a hallway and have a conversation."
Phillip Cox, cybersecurity group manager at Sandia National Laboratories, added that participating in "capture the flag" competitions is way for students to gain valuable experience while in school.
"Those competitions really hone a student's skills around what it takes to be a cyber defender," he said. "That's everything from reverse engineering of malware to doing forensics on a machine.
"We've found that students who have those experiences, who have done those competitions, have a step up on students who just do the academics," he said.
When he's looking at a candidate's qualifications, Cox also likes to see a strong development background.
"There are a lot of [computer] languages out there and while they don't need a deep knowledge of all those languages, they need to be proficient in at least one of the industry leading development languages," he said.
Students can also gain hands-on information security experience through "hackathons." For example, the Cloud Security Alliance held a hackathon at the RSA conference this month challenging security pros to outfox the authentication features of the organization's Software Defined Perimeter specification, which is being developed by 100 companies and federal government agencies.
"Hackathons are a good example of how companies are reaching out to college students, both to help students see the possibilities of an infosec career and to look for potential job candidates," said Cisco's Stewart.
"This is a great time in history to choose an infosec career," he added, "because the need is huge and many entities are joining forces to overcome the skills shortage."