An insight into the international shortage in cybersecurity skills
Every day, we read of yet another company being hacked. In many cases, attacks are outpacing defense. The global shortage of trained and qualified cybersecurity talent exacerbates the already challenging task of defending against the rapidly accelerating volume of sophisticated advanced threats.
The shortfall remains a critical vulnerability for companies and nations, and impacts all industry sectors. Conventional education and policies are unable to meet the increasing demand. New solutions are needed to build the cybersecurity workforce necessary in a networked world.
Four Dimensions of the Cybersecurity Workforce Shortage
It is estimated that the total global cybersecurity spend in the next four to five years will be more than US$100 billion, according to Frost & Sullivan’s 2015 (ISC)2 Global Information Security Workforce Study.
The biggest spenders and consumers of cybersecurity technology and services are the governments and the financial services industry, which are often prime targets for attackers. By investing heavily in cybersecurity, these two sectors are better equipped to deal with the workforce shortage issue and can help drive best practices for training and recruitment.
The banking industry has been particularly active in increasing cybersecurity spending, reflecting its prominence as a target. In fact, banks are three times more likely to be targeted than non-financial institutions.
Traditional academic institutions are the primary source of initial education and training for cybersecurity professionals, however deploying non-traditional methods could be another better way to acquire and grow cybersecurity skills. Incorporating practical learning into academic programs would better prepare cybersecurity professionals for the real world.
While a bachelor’s degree is typically considered necessary to enter this field, cybersecurity-specific offerings in higher education are rare. Cybersecurity as an academic discipline or program of study is often inaccessible to students.
Employers need more effective strategies and incentives to recruit and retain top cybersecurity talent. While salary is often the common motivating factor in recruitment, training, the reputation of the prospective employer’s IT department, and potential for advancement, matters as much in retaining the talent.
Companies need to be strategic in deciding what skills will be needed to combat future cybersecurity threats and how new technologies can offset workforce shortages. Recognising the need that many new professionals lack necessary skills and that even proficient workers would require continuous skill development and on-the-job training is crucial for talent retention.
Many countries have prioritised cybersecurity and are enacting legislation and national strategies, establishing coordinating bodies and cybersecurity agencies, and, in some cases, funding programs to cultivate a larger cybersecurity workforce.
The cybersecurity talent gap has become a prominent political issue, and governments across the world have called for increased support to the cybersecurity workforce in the recent times.
Despite increased political engagement on cybersecurity workforce issues, more needs to be done to build the cybersecurity talent pool. Closing the gap in cybersecurity skills requires countries to develop critical technical skills, cultivate a larger and more diverse workforce, reform education and training programs to include more hands-on learning experience.
Here are some suggestions on what can be done:
Cybersecurity education should start at an early age to target a more diverse range of students, and include hands-on experiences and training. Early exposure to cybersecurity careers is crucial for developing interest in the field.
Universities can seek greater relevance in this field by adding cybersecurity courses and working with industry and government to tailor the curriculum. Programs should focus on hands-on learning in the form of labs and classroom exercises to provide people with robust and practical skills in this field.
Increasing the diversity of the cybersecurity workforce will also expand the talent pool. Workforce enhancement efforts should aim to create a broader pool of cybersecurity talent. Many people with advanced degrees in fields relevant to cybersecurity, including computer and information science, possess international backgrounds, and policies enabling them to work in any country would be ideal.
Another barrier to expanding the cybersecurity workforce is the stigma that lingers with job candidates, who have a history of hacking. Employers should be encouraged to develop a more flexible attitude towards hiring people who have had earlier experience in hacking.
Ongoing training programs are vital to retaining cybersecurity talent, as the lack of such programs often causes people to seek employment elsewhere. Governments and the private sector should collaborate on ways to enhance training opportunities for both students and current employees who want to improve their skills.
As automation creates operational efficiencies, cybersecurity professionals will focus more of their time and efforts on detecting, analyzing, and remediating more advanced threats. Employers should evolve skills in response to anticipated needs.
A dearth of data hampers our ability to develop targeted cybersecurity policies and strategies and to measure effectiveness. More national data on the cybersecurity labour market and standardised job functions will help drive more tailored solutions. Industry leaders, policy makers, and educators should also work to develop a common taxonomy of skills.
There should be clearly defined and commonly understood list of high-value cybersecurity skills applicable across industry sectors.
Each country has unique factors that shape their cybersecurity posture, and these can be leveraged to develop a stronger cybersecurity workforce. Closing the gap in cybersecurity skills requires countries to develop critical technical skills, cultivate a larger and more diverse workforce, and reform education and training programs to include more hands-on learning.
Author credit: David Allott, Director for Cyber Defense at Intel Security Group – Asia Pacific