Q
Problem solve Get help with specific problems with your technologies, process and projects.

Cybersecurity skills shortage: What are the root causes?

SearchSecurity talks with David Shearer, CEO of (ISC)2, about what is -- and isn't -- contributing to the cybersecurity skills shortage in the U.S., as well as how to fix the problem.

What's causing the cybersecurity skills shortage in the United States?

While some believe the shortage can be attributed to a lack of students earning degrees in science, technology, engineering and mathematics (STEM), David Shearer has a different view. Shearer, CEO of the International Information Systems Security Certification Consortium, or (ISC)2, believes the issue has more to do with how information security is viewed as a profession.

At the (ISC)2 Security Congress in Austin, Texas, last fall, Shearer took part in a panel discussion on the cybersecurity skills shortage with other industry figures, such as Deidre Diamond, founder and CEO of infosec staffing and recruiting firm CyberSN, and Don Freese, deputy assistant director of the FBI and former head of the bureau's National Cyber Investigative Joint Task Force.

SearchSecurity talked with Shearer following the panel and asked him about his views on the cybersecurity skills shortage and whether or not the ongoing string of high-profile data breaches has negatively impacted the image of the infosec profession. Here is his answer.

David Shearer: I think there is always going to be a certain percentage of people that look at the profession negatively and feel like they're going to be a scapegoat when things go wrong.

Let's just take any type of area where there's high risk and sometimes a perceived low reward for the amount of risk that's there. The people that tend to throw themselves into these types of areas, those are the people that are out there who say, 'I'll take the risk because I think I can make a difference. I think I can do this.'

A good example of that is Kevin Charest on the (ISC)2 board, who is in the healthcare arena. He is one of those people who wants to take on the tough challenges of turning around or enhancing a healthcare security program. What we need is more people to do that, but I think there's a certain put off to it.

It's the same thing that [FBI Deputy Assistant Director] Don Freese said during his keynote. He said we're seen as the people that say no to everything and thwart innovation. Well, how appealing is that?

That [was] the issue I was talking about on the panel to explain that the cybersecurity skills shortage is not a STEM issue. Does the United States have a STEM problem? Yes, we do. But that's not what's happening here with the cybersecurity skills shortage.

You have a region that puts out more STEM candidates than the United States since 1995, being the Asia-Pacific region, and the numbers [for the workforce shortage] are almost exactly the same. You go to colleges and universities and you could walk into almost any engineering discipline, including computer science, and most of those folks have no training on cybersecurity. It's starting to change, but maybe not for the right reasons.

Those colleges and universities -- and everyone else -- want to get into the cybersecurity game because they see the dollars and cents that are being spent on it. But now that they have curriculum within the university, a smart person might pepper in something more. I mean, we have a CSSLP [Certified Secure Software Lifecycle Professional] certification that's for secure software, and I believe that we either need to modify that certification or have another one that's not just software.

Look at the engineering that goes into manufacturing an automobile or public transportation. It's electrical, it's mechanical, it's software and it's chemical engineering. We need to be raising that at the design and engineering phase across those disciplines. They at least need to have Cyber 101 and say, 'When you're using your creative juices at the inception stage, be thinking about how we put secure products out.'

This was last published in February 2018

Dig Deeper on Information security certifications, training and jobs

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How has your organization struggled with finding the right cybersecurity skills?
Cancel
I think its mostly misinformed folks that think there is A CyberSec Professional shortage. The professionals are right in the US, we don't have to import them. But companies are always looking for cheap recruits so they keep talking about "shortage" to get exceptions so they can get the foreign visa allotments. If they can hire a newly arrived immigrant for a fraction of what they are charging the government they make a lot more money on the margin and all they had to do was keep churning the "shortage" story. Except for a few good ones the Cyber security companies, I have dealt with are in it for the money, are exceptionally cynical and are barely doing the jobs they are contracted to do. There are whistle blowers but they have been silenced. I've gone through periods of unemployment while companies were going around stating they have shortages. Meantime I was seeing folks being brought in from overseas and friends of mine being let go from contracts. So not buying it. In 3-5 years this will be a big scandal and congress will be holding hearings on it.
Cancel
I've heard this argument before, but respectfully, I'm not sure I totally buy it. We went through the same type of talent shortage in the late 90s/early 2000s with the dotcom boom, but at that time companies were flush with cash. It wasn't about cutting costs -- the demand for talent was outpacing supply, and companies couldn't hire enough skilled software/web developers to get the job done. Similarly, demand for skilled infosec professionals Mind you, I'm not discounting your personal experiences here. Are there some companies looking to just cut costs through H1-B visas? I have no doubt. But I don't think it's the root cause of the issue here. However, if you're willing to share your experiences re: staff cuts and whistleblowers, I'm definitely interested. Feel free to contact me at rwright[at]techtarget[dot]com. 
Cancel
And I was there right in the talent shortage trying to get hired so were a number of IT professionals including some of my teachers. The difficulty with some of these companies is they establish hurdles for hiring locally and facilitate hiring from overseas. That's what happened in the 90's as well. I used to apply to 10-15 jobs a day. I finally hired a talent scout with the connections to help me. He got me hired within 30 days. I paid a months salary. Most US companies don't look at the sustainable picture, rather the boom/bust profit quarters they watch. This model is outdated. I don't know why business schools keep churning out the same answers for questions that have been evolving and changing now for almost a decade. The US companies have to realize they are no longer competing in accordance with the business models they have established and parametrized since the end of WWII. The business model and engagement praradigms have all changed and are changing virtually daily now. So we can continue creating false "shortages" and congress can continue throwing borrowed (from China) money at manufactured problems or we can discuss real problems and establish real solutions.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close