As data breaches and ransomware attacks continue to dominate the headlines, so too do stories about the shortage of trained information security professionals. There is a link: The cybersecurity skills shortage means that the skilled human assets needed to fight hackers’ increasingly sophisticated and damaging attacks are just not available, leaving everyone less safe.
Recent estimates show there are as many as 3 million unfilled cybersecurity jobs, and the problem is getting worse. Suggestions for easing the shortage include everything from adding cybersecurity to K-12 curricula to expanding degree options at the university level to doing better at recruiting from a more diverse candidate population. So far results have been mixed at best.
There is no magic bullet for solving the cybersecurity skills shortage, and experts are increasingly suggesting the industry should be doing more, and more different things, to solve the problem. Jon Oltsik, analyst at Enterprise Strategy Group in Milford, Mass., and founder of the firm’s cybersecurity division, weighed in on the industry conversation in a recent interview.
This interview has been edited for clarity and length.
Just how serious is the cybersecurity skills shortage?
Jon Oltsik: This year in our research, 53% of organizations we surveyed said they have a problematic shortage of cybersecurity skills; that’s up from 51% in 2018 and I believe it was 46% in 2017. So, things are not getting better.
I do an annual research project with ISSA, the Information Systems Security Association, and this year we asked if organizations were impacted by the cybersecurity skills shortage: 74% of those who responded said their organization was impacted as compared to 70% last year. It’s pretty bad, and the ramifications of the cybersecurity skills shortage include increased workload on cybersecurity professionals. It includes things like people having to hire and train junior people versus senior people, and finding experienced people. Companies are also buying cybersecurity technologies and then not really having the time or the skills to use them effectively. This is a huge problem.
What’s the solution? Is there a solution to the cybersecurity skills shortage?
Oltsik: I don’t think there’s a solution to the problem, but I certainly think you can address it by integrating your technologies and by automating processes. That’s a good way to go, it sounds good but standardizing on cybersecurity technologies, some type of platform, building automated processes — those are pretty hairy tasks and it can take years to do that. There’s absolutely no simple solution to this.
How do we address this problem? I think it’s a societal problem, I think it’s an existential threat. There’s generally been awareness about this problem for a number of years, but I still believe we undermine it. Everyone does research on it and then suggests things to address it, but in my experience — and I’ve been covering this for years — things are getting worse, not better.
Here are a few things that we could do. Number one is the federal government in the U.S. and governments all over the world should be investing a lot more in awareness. High school kids and college kids don’t even know there’s a cybersecurity career path available to them, so we need to make people aware of that.
Number two is we have to provide a lot more funding for cybersecurity education. There are some good programs out of the National Science Foundation and the NSA’s information assurance program, but those need to be much broader-based and more heavily funded.
The third thing we need to do is to recruit outside of our base. Typically, cybersecurity professionals come from a technical or an IT background, and when they’re not from IT they’re either from law enforcement or from the military. We need to attract problem solvers; we need to attract business people; we need to attract gamers — there’s research that gamers make good cybersecurity professionals. We need to go outside of our base to recruit people.
One other thing to do is provide better training for the population at large on cybersecurity, because a lot of cybersecurity incidents are due to the fact that someone clicks on an email attachment that they shouldn’t, or someone gets social-engineered through a phishing email. Other countries like Korea make cybersecurity education a part of their school curriculum; the United States does not.
I would point you to North Dakota, which is doing a really good job of this and has integrated cybersecurity education into its K-12; it’s kindergarten through college and then into the workforce so it’s got a very interesting and progressive program and that type of education — even if you’re not a cybersecurity professional — you can get better at cybersecurity hygiene, and if you do, you’re going to ultimately protect all of us.
You mentioned recruiting from outside the traditional base. What are the cybersecurity skills that people — whether from the base or from outside it — can work on to make them better cybersecurity professionals?
Oltsik: Our research indicates that cybersecurity skills development is not what it should be — nor is cybersecurity career development.
The biggest thing that I think needs to happen is we need better synergy between technical cybersecurity education and business cybersecurity education. If you talk to any CISO, they’re a business executive and their job is to identify and mitigate risk. Most cybersecurity professionals who come up through the technical ranks, they know about packets and malicious files and email attachments and things like that, but they don’t understand the business context, so I’d say that’s really what we have to do and that’s why recruiting business people is as important as recruiting more technical people.
What about skills for experienced cybersecurity professionals who are looking to grow their careers?
Oltsik: A really strong cybersecurity professional understands the technology stack, so they understand networks, systems, databases and applications, and then they can apply that knowledge to a business context so they can see that a particular set of sensitive data is accessed by employees who are overseas and they can understand the risks associated with that. Or, it’s shared with a business partner and they can understand the risks associated with that. That’s the way you manage the two angles.
What else should people know about the cybersecurity skills shortage?
Oltsik: Business people now recognize the risks associated with IT and cybersecurity. A few years ago we used to say that business people don’t want good security, they want good enough security. But now, based on all of the breaches, based on the digital transformation applications that they’re trying to utilize for business purposes, they get it. But there’s a disconnect between the business people and the cybersecurity people that needs to be bridged. The business people want to understand risk, they want to understand return on investment, they want to understand where to apply their dollars more effectively and the cybersecurity people know about bits and bytes and malicious code and vulnerabilities. So that, to me, is one of the key things I’m focused on — how do we bridge that gap?