Problem solve Get help with specific problems with your technologies, process and projects.

What are the root causes of the cybersecurity skills shortage?

SearchSecurity talks with David Shearer, CEO of (ISC)2, about what is -- and isn't -- contributing to the cybersecurity skills shortage in the U.S., as well as how to fix the problem.

What's causing the cybersecurity skills shortage in the United States?

While some believe the shortage of cybersecurity professionals can be attributed to a lack of students earning degrees in science, technology, engineering and mathematics (STEM), David Shearer has a different view. Shearer, CEO of the International Information Systems Security Certification Consortium, or (ISC)2, believes the issue has more to do with how information security is viewed as a profession.

At the (ISC)2 Security Congress in Austin, Texas, last fall, Shearer took part in a panel discussion on the cybersecurity skills shortage with other industry figures, such as Deidre Diamond, founder and CEO of infosec staffing and recruiting firm CyberSN, and Don Freese, deputy assistant director of the FBI and former head of the bureau's National Cyber Investigative Joint Task Force.

SearchSecurity talked with Shearer following the panel and asked him about his views on the cybersecurity skills shortage and whether or not the ongoing string of high-profile data breaches has negatively impacted the image of the infosec profession. Here is his answer.

David Shearer: I think there is always going to be a certain percentage of people that look at the profession negatively and feel like they're going to be a scapegoat when things go wrong.

Let's just take any type of area where there's high risk and sometimes a perceived low reward for the amount of risk that's there. The people that tend to throw themselves into these types of areas, those are the people that are out there who say, 'I'll take the risk because I think I can make a difference. I think I can do this.'

A good example of that is Kevin Charest on the (ISC)2 board, who is in the healthcare arena. He is one of those people who wants to take on the tough challenges of turning around or enhancing a healthcare security program. What we need is more people to do that, but I think there's a certain put off to it.

It's the same thing that [FBI Deputy Assistant Director] Don Freese said during his keynote. He said we're seen as the people that say no to everything and thwart innovation. Well, how appealing is that?

That [was] the issue I was talking about on the panel to explain that the cybersecurity skills shortage is not a STEM issue. Does the United States have a STEM problem? Yes, we do. But that's not what's happening here with the cybersecurity skills shortage.

You have a region that puts out more STEM candidates than the United States since 1995, being the Asia-Pacific region, and the numbers [for the workforce shortage] are almost exactly the same. You go to colleges and universities and you could walk into almost any engineering discipline, including computer science, and most of those folks have no training on cybersecurity. It's starting to change, but maybe not for the right reasons.

Those colleges and universities -- and everyone else -- want to get into the cybersecurity game because they see the dollars and cents that are being spent on it. But now that they have curriculum within the university, a smart person might pepper in something more. I mean, we have a CSSLP [Certified Secure Software Lifecycle Professional] certification that's for secure software, and I believe that we either need to modify that certification or have another one that's not just software.

Look at the engineering that goes into manufacturing an automobile or public transportation. It's electrical, it's mechanical, it's software and it's chemical engineering. We need to be raising that at the design and engineering phase across those disciplines. They at least need to have Cyber 101 and say, 'When you're using your creative juices at the inception stage, be thinking about how we put secure products out.'

This was last published in February 2018

Dig Deeper on Information security certifications, training and jobs

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How has your organization struggled with finding the right cybersecurity skills?
I think its mostly misinformed folks that think there is A CyberSec Professional shortage. The professionals are right in the US, we don't have to import them. But companies are always looking for cheap recruits so they keep talking about "shortage" to get exceptions so they can get the foreign visa allotments. If they can hire a newly arrived immigrant for a fraction of what they are charging the government they make a lot more money on the margin and all they had to do was keep churning the "shortage" story. Except for a few good ones the Cyber security companies, I have dealt with are in it for the money, are exceptionally cynical and are barely doing the jobs they are contracted to do. There are whistle blowers but they have been silenced. I've gone through periods of unemployment while companies were going around stating they have shortages. Meantime I was seeing folks being brought in from overseas and friends of mine being let go from contracts. So not buying it. In 3-5 years this will be a big scandal and congress will be holding hearings on it.
I've heard this argument before, but respectfully, I'm not sure I totally buy it. We went through the same type of talent shortage in the late 90s/early 2000s with the dotcom boom, but at that time companies were flush with cash. It wasn't about cutting costs -- the demand for talent was outpacing supply, and companies couldn't hire enough skilled software/web developers to get the job done. Similarly, demand for skilled infosec professionals Mind you, I'm not discounting your personal experiences here. Are there some companies looking to just cut costs through H1-B visas? I have no doubt. But I don't think it's the root cause of the issue here. However, if you're willing to share your experiences re: staff cuts and whistleblowers, I'm definitely interested. Feel free to contact me at rwright[at]techtarget[dot]com. 
And I was there right in the talent shortage trying to get hired so were a number of IT professionals including some of my teachers. The difficulty with some of these companies is they establish hurdles for hiring locally and facilitate hiring from overseas. That's what happened in the 90's as well. I used to apply to 10-15 jobs a day. I finally hired a talent scout with the connections to help me. He got me hired within 30 days. I paid a months salary. Most US companies don't look at the sustainable picture, rather the boom/bust profit quarters they watch. This model is outdated. I don't know why business schools keep churning out the same answers for questions that have been evolving and changing now for almost a decade. The US companies have to realize they are no longer competing in accordance with the business models they have established and parametrized since the end of WWII. The business model and engagement praradigms have all changed and are changing virtually daily now. So we can continue creating false "shortages" and congress can continue throwing borrowed (from China) money at manufactured problems or we can discuss real problems and establish real solutions.
Agree 100%. TCS/Infosys are flooding the market with 3 months visas and they replace full teams every 3 months.
There is not SHORTAGE. They do not want to pay. Please just humor me go to any job search and use "junior security". Most of the corporations are just looking for liability and not for fixing the problem.
Many companies are trying to fill a requirement and don't know what they need so they set unreal requirements. I interviewed for one that wanted expert knowledge in programming languages (C++, Java, etc.,), Server Technology (Linux, Windows Mac, VMware, SQL, ...., it went on and on. All this and 3 yrs. experience in InfoSec plus a CISSP certification. I guess they didn't know that a CISSP cert requires 60 months in at least 2 of the 8 security domains.
I think another reason for the shortage is that companies are only hiring people with experience and certifications or at least the experience. they're not willing to give new graduates a chance to get into the security field. I had this happened to me many times after I graduated with a masters in internet security. I had the schooling but the not the experience. I had experience in systems administration but not security. This is very discouraging and why should you keep trying if nobody wants to give you a chance, unless you know someone in that company.
I've heard similar things from people I've spoken with on the issue over the last year. One of the most frequently cited solutions I've heard is for organizations to create more true entry level positions for people coming out of college. It's not an entirely easy thing to do, of course, because you need experienced people to guide and mentor those entry level hires, and that takes time out of their day-to-day duties. But if enterprises don't take the long view and make the investment now, then it feels like they're going to continue to struggle to find experienced people and have overworked staff.