Risk

12/11/2017
10:30 AM
Steve Morgan
Steve Morgan
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
100%
0%

5 Reasons the Cybersecurity Labor Shortfall Won't End Soon

The number of unfilled jobs in our industry continues to grow. Here's why.

Cybersecurity Ventures predicts there will be 3.5 million unfilled jobs by 2021, up from 1 million at the end of 2013. With a growing awareness of the cybersecurity workforce shortage, why is the problem getting worse each year? Here are the top five reasons:

Reason 1: The community doesn't take the cybersecurity workforce shortage seriously enough. In late 2013, Cisco projected there were 1 million job openings globally. For several years after that, cybersecurity labor figures were only minimally updated. Various surveys (as opposed to research) have drastically underestimated the problem because they relied on polls that didn't sample enough companies, or they focused on information/IT security and failed to take the broader cybersecurity market into consideration. This leaves out heaps of workers involved with Internet of Things security, ICS (industrial control systems) security, automotive security, embedded security, and numerous other large categories.

Some surveys, such as ISC2's Global Information Security Workforce Study (registration required), portray a workforce with the number of unfilled cybersecurity jobs not even doubling in nearly a decade, from 2013 to 2022. This is a stark departure from my own research, which shows the number of unfilled positions actually is expected to grow 3.5 times during an even shorter timeframe, from 1 million in 2013 to 3.5 million in 2021.

Reason 2: Universities are not graduating enough students with cybersecurity experience. A story in Forbes last year indicated students can graduate from any one of the top 10 US computer science programs without taking a single course on cybersecurity. CloudPassage, a cloud security firm based in San Francisco, concluded that the American higher-education system is failing at preparing students for careers in cybersecurity. While that may be an overstatement, there are clearly too few college cybergrads released into the workplace each year. At the upper end of the spectrum, only around 150 schools in the US offer an advanced degree such as MS in cybersecurity programs, and many of them are relatively new.

Reason 3: Young people are not getting involved and exposed to cybersecurity early enough. Middle schools and high schools are not teaching students cybersecurity. A study by Raytheon suggests that less than half of students surveyed say a parent or teacher has discussed cybersecurity with them. Hardly enough high school seniors are graduating with intentions to pursue careers as cyber fighters. By the time they enter college, it's too late.

Reason 4: Organizations aren't cross-training their IT workers. CIOs and CISOs are not cross-training enough of their support specialists, network administrators, programmers, Web developers, systems analysts, database administrators, network architects, IT project managers, and others on cybersecurity. There's also no indication of a trend by senior IT leaders to cross over technology workers to fill open cybersecurity positions.

Reason 5: IT leaders have bought into the idea that artificial intelligence and cognitive security will solve the labor crisis. There's exhaustive hype around the promise of AI and how it can reduce the cybersecurity staffing burden at organizations globally. AI is a phenomenal technology that can improve and even transform businesses of all types and sizes. But the productivity and efficiency gains don't translate into fewer workers.

Related Content:

Steve Morgan is the founder and CEO at Cybersecurity Ventures and Editor-In-Chief of the Cybersecurity Market Report. The Cybersecurity Market Report is published quarterly and covers the business of cybersecurity, including global market sizing and industry forecasts from ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SchemaCzar
50%
50%
SchemaCzar,
User Rank: Strategist
12/18/2017 | 9:15:49 AM
One more thing: not enough professors
Working in academia, I can tell you it's hard to get top cybersecurity talent in teaching.  Many of the top people don't have the Master's-level degree that is required, and fewer the PhD that is preferred.  Everyone who's really great is tremendously busy.
SchemaCzar
50%
50%
SchemaCzar,
User Rank: Strategist
12/15/2017 | 9:23:04 AM
Companies don't want to change organizational behavior for security anyway
It's one thing to post a cybersecurity job req; it's another thing to follow through.  There's a major lack of organizational will do spend the money and time on it.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
12/12/2017 | 1:59:10 PM
Re: Reason 6
Definate a hard career.  A woman I work with who knows as much about cyber secrurity as anybody I know took the CIISP test after studying herself into an early grave and on THE FIRST QUESTION she knew she was doomed.  That hard!!!
NickB368
50%
50%
NickB368,
User Rank: Apprentice
12/12/2017 | 12:10:33 PM
Reason 6
Thank you for the well written and researched article. I was thinking about this recently and wonder if there wasn't one more to add to the list:

  • Other IT related jobs that might be easier, with similar pay


A career in cybersecurity can be really rewarding, but it's a difficult career path as well! The research and development side is mind boggling, involving understanding applications, operating systems, protocols and their inner workings. The practitioner side requires the soft skills AND the technical skills to troubleshoot, roll out a product, get awareness, etc. You could argue that cybersecurity careers pay more on average, but do they pay double what a more generalized IT career might? Are they twice as difficult? (I guess what I'm saying is that as far as jobs are concerned people DO follow the money)

As you mentioned, starting awareness and training earlier in the education/career path would help alleviate this problem to a certain extent... But more related to your reason #4, I'm not sure that a lot of people start out with the idea that they'd like a career in cybersecurity. So I feel like cross training could be the shortest path to fixing the problem. This would get people with experience and the proper background involved, thus making room for the more recent college grad's to backfill the more generalized spots.

Basically though, it ALL ties back to a pretty gross underinvestment in cybersecurity as a whole. I recently heard a comment in an interview with Tom Kellermann that only 6% of IT spend is on security. Fixing that issue might be the first step in fixing the labor shortfall. I certainly don't have all of the answers, but I wanted to pile on some more food for thought. Thanks again for the interesting read!
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
12/12/2017 | 9:48:34 AM
Re: Where are the jobs?!?!
The real bedrock issue is not Cybersecurity per se but generalized IT as a career.  Used to be a hot one indeed and I sitll have my old Novell Netware CNE on the wall.  But that was before American management discovered India and what was a well paying, career enhancing career became something of no value at all and liable to be outsourced to Bangalore in a heartbeat.  Abbott (a place I recently left) sent 140 qualified IT staffers out the door do be placed by a helpdesk at Wipro.  It wsa horrible and paid poor.  So why would anybody in college venture into a career path that slams the door on your ass on the way out.  IT has no respect these days.  Want proof?  Equifax.  Oh, NOW they know more but still it is always CHEAPER,FASTER,BETTER (one word) in Bangalore.  So nobody in IT is really moving to cyber security except a few.  No new people are coming INTO information tech for good reason.  
StephenM95002
100%
0%
StephenM95002,
User Rank: Apprentice
12/12/2017 | 9:45:58 AM
Re: Where are the jobs?!?!
@Jeff- Thanks for the reply. I'll take your advice. I picked up my cap and gown yesterday so we'll see how things go.
Jeff Stebelton
100%
0%
Jeff Stebelton,
User Rank: Strategist
12/12/2017 | 9:41:16 AM
Re: Where are the jobs?!?!
I just did a search on indeed.com for information security in Columbus, Ohio, not exactly a hotbed for Infosec jobs. 1,6556 hits. And no, I didn't look at every page to see if they were all relevant but lets; assume 1,000 of them are. The fact you have to work remotely would probably wipe out 80% of those but there are still a ton of jobs available. A degree in CyberSecurity will be a game changer, once you can add that to your resume. Post it on LinkedIn and get ready for alot of Inmails from recruiters. 
StephenM95002
100%
0%
StephenM95002,
User Rank: Apprentice
12/11/2017 | 2:01:54 PM
Where are the jobs?!?!
It seems to be a recurring theme these days," Cybersecurity labor shortfall" and "Not enough security professionals to fill open roles". Okay if that is the case then where are all these jobs posted at?!?! Is there some super secert job site that only the people writting these stories have access to? I'm not asking of a friend, I'm asking for myself. I've worked in the Information Technology field for the last 18 years and about to graduate with a degree in Cybersecurity. I'm just not seeing all the jobs everyone is talking about. Granted I'm a little picky. I need to work by remote and would like to make enough to live on. Other than that I'm pretty flexible. Can someone do an old man a solid and point me to all these jobs I keep reading about? I'm just ready to take the next step in my career.
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.