maxoidos - Fotolia
There is a hiring crisis in cybersecurity. Many organizations are desperate to find qualified security professionals and fill key staff positions. Consider this from ISACA: According to the 2015 Global Cybersecurity Status Report, which surveyed more than 3,400 ISACA members in January, 92% of those hiring cybersecurity professionals this year say it will be difficult to find skilled candidates. Another 53% of organizations plan to increase cybersecurity training for staff in 2015, while only 9% say they do enough security training already.
"There are currently over a billion dollars worth of unfilled positions globally," says James Arlen, director of risk and advisory services at Leviathan Security Group, a Seattle-based company that provides integrated risk management and information security to Fortune 100 companies and governments.
Companies looking to hire cybersecurity professionals can do themselves a big favor by just simplifying the application process. "Promote employee value and benefits, and put positions in the context of the broader organization," says Jeremy Bergsman, managing director at CEB, a member-based advisory company based in Arlington, Va. Human resource organizations need to make job postings comprehensible so potential candidates are more inclined to actually apply for open positions.
The professional hiring challenge is multifaceted, however. For starters, the breadth of knowledge required for many cybersecurity positions remains a moving target. Job descriptions can ask for expertise across multiple domains -- ranging from malware, threat mitigation, cryptography and forensics to industry-specific knowledge, advanced analytics, network virtualization, cloud and mobile security. The failure to find qualified candidates creates an attitude of near panic in some quarters.
The result is skyrocketing salaries, especially after the highly publicized breaches of 2014. While the labor concerns are genuine, experts offer hope beyond the headlines and differing views about the severity of the problem.
Is it a crisis?
Doug Saylors, a director at Information Services Group (ISG), a global outsourcing consultancy in Stamford, Conn., says that up until about four years ago, security was often "buried" within IT, typically supported on a part-time basis by UNIX or Windows administrators. However, as adversaries have grown more capable, companies have rapidly moved to build separate security organizations.
"This has resulted in increased salaries and a shortage of qualified [staff for] small to medium enterprises in the marketplace," he says. One ISG client lost a five-year employee who "literally doubled his salary for a similar role that was less than five miles" away, according to Saylors -- despite an internal HR study, 14 months earlier, that had determined the employee was paid a competitive salary.
RAND Considers Cybersecurity Labor Woes
RAND Corporation, the famous think tank, published a report in June 2014, "Hackers Wanted: An Examination of the Cybersecurity Labor Market," on behalf of its government clients. It takes a surprisingly measured view of the shortage of cybersecurity professionals. The authors -- Martin C. Libicki, David Sentry and Julia Pollack -- start with a careful review of factors that contribute to the problem in government as well as the range of potential solutions. However, in the final analysis, they suggest that the panic may be misplaced and that labor market equilibrium could return. The authors draw analogies to the Cold War-era aerospace boom that fueled careers but also left other folks stranded at mid-life when the threat picture changed. Furthermore, they speculate that fundamental changes in computing and IT security could alter the cybersecurity threat picture for the better in coming years. -- Alan R. Earls
John Pescatore, director of emerging security trends at the SANS Institute in Bethesda, Md., agrees that there is a shortage of capable information security specialists. However, beefing up security staff is not always the best strategy for some enterprises.
"Given that my organization is one of the largest training organizations for cybersecurity, it would be natural for me to say we have a skills shortage," he says. "But in a lot of cases this attitude comes from a general belief that the answer to cybersecurity threats is to throw more people at the problem."
Before senior management starts hiring information security specialists, they should look at IT processes as well as user education and awareness programs, he advises. "The reason so many enterprises need more security people is because they are doing basic things wrong in IT -- not keeping up with patches and misconfiguring things."
Those initiatives won't solve all the problems. "But if you can reduce major breaches from once a year to, say, once every three years, you can do without a lot of security people," he says.
If more staff is required, a big challenge for most companies is finding the skill sets that they need in specific locations. The cybersecurity talent tends to be clumped in a relatively small number of geographic areas, while the need for cyber skills is widely distributed. The only way to hire right now is to steal people from other organizations. Or import them, Pescatore says.
Leviathan's Arlen, who is Canadian, refers to himself as part of that "brain drain," in which firms pull tech talent from other countries to meet their needs. For American firms, Arlen says, the H1B mechanism can help -- but there are strict limits on the number of people that can be brought to the United States and employed with these visas, and there are time restrictions. Another challenge is the citizenship requirement imposed on many government or government-contractor positions.
The North American Free Trade Agreement should offer some help, but NAFTA was developed a generation ago and its specific language has no special provision for cybersecurity. NAFTA also deputizes border patrol people -- who have no special expertise -- to determine whether an individual seeking to cross the border for employment is sufficiently qualified. "I had 18 years of experience, including a period in charge of cybersecurity for the Ontario power grid, and I was told at the border that I didn't have the right credentials," Arlen says.
Training and development
Many organizations have underinvested in training, even though more education could enable them to turn good IT or networking staff into security specialists. "The bill for that failure is starting to hit," Pescatore says. There are ways to increase the pool within the United States by training more IT people to become security specialists. That includes looking at untapped sources. Several training organizations are now targeting former military people who have worked in the IT area. "With some mentoring to get into private industry, they can be a nice addition to the talent pool," he says.
STEMing the Tide
Getting more kids interested in STEM (science, technology, engineering and math) is often cited as the way to boost the nation's competitiveness and support innovative high tech. However, according to Kevin Kelly, CEO of LGS Innovations, a Herndon, Va., provider of network and communication solutions to governments and businesses, it is especially critical for the U.S. government. "The Department of Defense and companies like LGS Innovations are among the largest employers of cybersecurity professionals and STEM graduates," says Kelly. "One of the challenges being faced in the public sector is not just a shortage of cybersecurity professionals, but a shortage of cyberworkers that can be cleared."
Many government cyberpositions require citizenship for high-level security clearances. There is an immediate need to boost domestic STEM initiatives, according to Kelly, because there will be a shortage of 230,000 qualified advanced-degree STEM graduates by 2018. "As a nation, we need to begin exposing our high-school and middle-school aged children to the technologies germane to the cybersecurity challenges through programs like CyberPatriot to begin building our pipeline of future cyber experts," he says.
In addition, as systems increase in complexity, there will be a growing need for cyberexperts to ensure each component sourced within the global supply chain is free from cybervulnerabilities, Kelly adds. -- Alan R. Earls
Education is another avenue to improving the cybersecurity workforce. (See: "STEMing the Tide") But many companies remain dubious about the efficacy of degree programs.
Arlen currently serves on the advisory board for an information security program at a Canadian university. The advisory board is involved in the process of curriculum review, itself the result of a lengthy process. In several weeks, the results will go to the Ministry of Education for approval, a process likely to take many more months. The bottom line is that the curriculum probably won't be implemented until 2017, and graduates will not emerge until 2021 at the earliest, by which time, he notes, much will have changed in the field.
John PescatoreDirector of emerging security trends, SANS Institute
Indeed, says Arlen, IT pros often have to "untrain" recent graduates who learned about the field from books written as much as a decade earlier. However, given the perceived talent shortage, even those with the barest of skills can now command substantial entry-level salaries, even though "degree-less people with a Mohawk and a kilt may be the ones that are actually making the meaningful contributions," he says.
No matter the field, employers almost always complain that the college graduates they hire "don't know anything," Pescatore says. Colleges could improve their results if they relied more on practitioners to teach and if they emphasized more hands-on "lab" work. The key is not getting people to pass quizzes, "it's operational excellence, doing it better than the bad guys," he says.
What skills matter most?
When it comes to filling cybersecurity positions there are differing views about formal training and certification versus experience. However, the bottom line is that security professionals need to demonstrate specific skills that may not be as valued in other career paths, says Chris Bucolo, senior manager of partner relations in the security and compliance practice of Sikich LLP in Chicago.
IT people may know about different aspects of security but often lack a broader perspective. Key attributes for career success in cybersecurity include the following:
- Proven ability to think on their feet. Many threats are very fast moving and can pop up out of nowhere.
- Skills to troubleshoot and find the source of problems.
- Able to think critically rather than just watch things unfold.
- A willingness to do things differently and persuade others to try something new. For example, balancing user experience issues with security needs.
- The ability to implement change and help an organization adapt to a new security requirement or challenge.
Fortunately, says Bucolo, there are IT people who can make the leap. "The technology things matter deeply, but it is still vital to have an ability to relate it to the organization and the people," he says. "That can have a big impact on whether data actually gets lost."
"Many companies are still at an early phase of their efforts to fully secure their systems," says Shawn Panson, leader of PwC's U.S. risk assurance emerging services practice. So, building that needed capability will take time.
A good strategy is to evaluate current employees and consider whether they have the critical-thinking skills necessary to respond to cyberthreats, asserts Bucolo: "We are not doing a good enough job of assessing existing talent and whether some individuals in our organizations might have real aptitude for handling bigger security issues."
Alan R. Earls is a freelance journalist based near Boston. He focuses on business and technology, particularly storage, security and the Internet of Things.