Among concerns of an Iranian cyber apocalypse, countless ransomware variants on the loose and yet another exposed ElasticSearch server, the biggest challenge for the cybersecurity industry is arguably its own skill shortage. One recent study claims the current deficit sits at over four million unfilled positions and argues that the workforce needs to grow by a whopping 145%.
Headcount isn’t the only challenge for the industry’s workforce, with the current crop of security professionals also lacking in diversity on several fronts. With women only representing around 20 percent of the total workforce, the industry urgently needs to do better.
Practical skills and experience trump university names when it comes to a cybersecurity CV. This attitude should be embraced, yet the skills and experience that are valued within the community remain too narrow. Expertise in areas as disparate as psychology, area studies, and public policy can all make an essential contribution to the field. The cybersecurity industry, therefore, needs to do better at fostering a diversity of skillsets.
Why the skill shortage matters
The industry’s skill shortage has a direct impact on security. Without enough people, under-resourced teams inevitably miss things, make mistakes, and take shortcuts. Current shortfalls also drive up the price for both talent and cybersecurity services, making robust security unattainable for too many.
The current skill shortage also takes a toll on those working within the industry.
Over-stretched employees naturally struggle to maintain a sustainable work-life balance. This makes the skill shortage arguably one of the most important, yet under-discussed, drivers of mental health and burnout within the industry.
A lack of numbers also increases the reliance on those that do possess the required skills. This potentially means bad apples who create a negative working culture are often able to stick around for far too long.
Despite the urgency of the problem, large portions of the cybersecurity industry remain passive. Correcting the skill shortage is seen by most as an exclusive government concern. Yet, governments are arguably doing their bit. In the UK, for example, the National Cyber Security Centre (the government’s leading cybersecurity body) has introduced a variety of initiatives, including cybersecurity competitions for 14-year-old girls, cyber student bursaries, and courses for 11-17-year-olds. The Department of Education has also managed to wrangle coding, computer science, and cybersecurity skills into the school curriculum.
Alongside these governmental efforts, other stakeholders need to step up too — namely the private sector as well as the broader infosec community.
Industry, let’s go
Private sector firms are the organizations profiting the most from the cybersecurity boom. They are the ones that typically poach workers that the government has paid to train up. Crucially, however, they are the organizations that really depend on cybersecurity talent. There is, therefore, both a moral and highly pragmatic case for firms to become more involved in addressing the skill shortage.
One clear way firms can become part of the solution is to offer more entry-level jobs, both through apprenticeships for school leavers and schemes for university graduates. This would allow fresh faces to learn the fundamentals of cybersecurity on the job.
Despite the high number of cybersecurity vacancies, too many still require multiple years of experience. Organizations can, therefore, take more significant leadership on the issue by taking on and training new joiners. By building their own pipeline of talent, firms address both their individual staff requirements and contribute to fixing the broader problem.
Cybersecurity firms can also foster talent in other ways. One only needs to look at the various unusual journeys into infosec to realize the industry is an eclectic bunch — one that welcomes those that haven’t graduated high school and those from unconventional backgrounds. This shows that a range of skill sets can and do contribute to the infosec community.
At the same time, however, this open-minded culture is not always reflected in a job market that often focuses on a narrow set of technical skills. Organizations, therefore, have the opportunity to provide alternative formal pathways and career tracks, which better utilize the skillsets of those from all walks of life (including the social sciences, humanities, and arts).
Finally, organizations can do more to communicate what they are looking for in new hires transparently. University career advisers have no shortage of guides and flashy PDFs to throw at students interested in law, banking, or consulting careers. Unfortunately, the same cannot be said for a career in threat intelligence, penetration testing, or information assurance. It is, therefore, incumbent on cybersecurity firms to provide better guidance for future talent. This could include reading lists, resources for skill development, and information that can help to clarify possible career roadmaps for young talent. Mentorship is hugely important in the industry, and firms should be a big part of this.
Of course, many organizations are doing great work on many of the areas mentioned above. However, the urgency of the skill shortage means these efforts need to be dramatically accelerated.
Smells like community spirit
Alongside private sector efforts, the broader infosec community can also step up. This should not detract from the excellent community-led efforts already going on: various women in cybersecurity groups have done an excellent work in building supportive environments; The Many Hats Club has fostered a community for infosec professionals from all walks of life; NinjaJobs is an example of a community-led response to helping people find the right job; while SecJuice provides a platform for aspiring writers and new talent to find their voice.
At the same time, however, the infosec community is often overtly hostile to new joiners. Too many seek to dismiss and even embarrass rookies with naive ideas, rather than provide mentorship and guide this enthusiasm towards more nuanced perspectives. From publicly humiliating new talent to desperately tedious Twitter drama, there is plenty to alienate and disillusion new joiners.
Of course, there is much to commend about the tough and combative nature of the infosec community. The tendency to call out misleading marketing and bogus claims helps to keep standards high. The key is to retain this rigorous spirit while also providing a more gentle ramp for newcomers.
The cybersecurity skill shortage poses many challenges. Rather than wait around for a government bailout, the infosec industry should examine what it can do itself to solve these problems.