The world is currently experiencing a serious cyber security talent shortage that is having profound effects on businesses and governments alike. An alarming number of cyber security/information security professionals surveyed for ISACA’s State of Cyber Security 2017 report (37 percent of 633 respondents) said fewer than 1 in 4 job applicants possess the qualifications employers need to keep companies secure.
This skills gap is further illustrated by the 45 percent of survey respondents who said that they don’t believe most applicants understand the business of security. As demand for cyber security professionals continues to explode, the lack of educated and experienced candidates means countless positions are left unfilled. Michael Brown, CEO at Symantec, said he expects the number of cyber security positions will rise to 6 million worldwide by 2019, with a projected shortfall of 1.5 million workers.
With such an inadequate supply of qualified workers, security risk remains high, as cyber crime only intensifies in sophistication and magnitude. Due to the high demand for cyber security experts, pay in the field is competitive and job security is strong. The State of Cyber Security Professional Careers survey, conducted by the Enterprise Strategy Group and Information Systems Security Association, reported that 46 percent of working cyber security professionals said they receive solicitation for other jobs at least once per week.
For the government, the public sector, small businesses and other comparatively low-paying industries, this situation makes it even harder to attract and retain qualified talent since those who possess the in-demand skills are likely to seek jobs with more lucrative compensation at larger companies in the private sector. Not only is pay often lower in the government and the public sector but the hiring process is typically slower, as well, which only compounds the problem.
"Small and mid-sized businesses are suffering the most," IDC analyst Sean Pike told Computer World. According to the publication, Pike said he's heard of security specialists moving into managerial roles in corporations who can make upwards of $250,000. One such manager moved into the vice president level and made $750,000. With salaries at such high levels, smaller companies often have to resort to taking out an incident response retainer with a service provider for a year to protect against exploits.
Education Falling Behind In Preparing Cyber Security Professionals
Part of the problem with finding qualified talent is that cyber security tactics are constantly changing and hackers are becoming increasingly sophisticated. Not only that, but rapid technological advances mean cyber professionals must stay vigilant if they want to stay current. And academia, for the most part, has failed to keep up.
Cyber security professionals need a high level of education, must possess strong technical know-how, and be lifelong learners who are able to keep up with the ever-changing tactics, tools and methodologies used by hackers. Unfortunately, most universities today offer an outdated approach to cyber security education, failing to take into account the importance of hands-on learning and 21st century tactics, leaving graduates with a gaping skills gap once they enter the field. According to an Intel study, Hacking the Skills Shortage, only 23 percent of respondents said education programs are preparing students to enter the workforce.
The study further explained: “While a bachelor’s degree is typically considered necessary to enter this field, cybersecurity-specific offerings in higher education are rare. Cybersecurity as an academic discipline or program of study is often inaccessible to students. Only 7 percent of top universities in the countries we researched offer an undergraduate major or minors in cybersecurity. As for graduate work, about a third of top (global) universities offer a master’s degree in some cybersecurity field.”
Source: Hacking the Skills Shortage, Intel Security
Similarly, CloudPassage conducted a study of 121 top-ranked universities and concluded that:
“The American education system is failing computer science students by de-prioritizing cybersecurity training. Universities are inadvertently contributing to the lack of cybersecurity readiness in the U.S. by failing to teach students how to implement security thinking and awareness into all new code design, development, and testing. Given the increasingly complex nature of today’s threat landscape, security can no longer be added on after new products and innovations are delivered to market. Cybersecurity training must be a graduation requirement for all computer science programs.”
Not only are universities falling behind when it comes to cyber security education, but high schools are not playing their part either—to bring awareness to the career path and encourage students to enter the field. A survey conducted by Raytheon, Securing Our Future: Closing the Cybersecurity Talent Gap, found that: “In the U.S., 67 percent of men and 77 percent of women said no high school or secondary school teacher, guidance or career counselor ever mentioned the idea of a cybersecurity career.” Finally, making the cyber security crisis even more acute is the fact that it is currently a male-dominated field. With women largely underrepresented, the pool of candidates is half of what it could be. In order to truly make a dent in the cyber security skills gap, women and girls need to be encouraged to enter the field.
Academia’s Role in Filling the Gap
What’s the solution? The solution, for the most part, is education. Universities must evolve their offerings and programs to meet the needs of 21st century information security professionals. And that is starting to happen at some progressive higher education institutions around the country, with certain universities even launching online cyber security master degree programs to cater to the needs of working professionals.
The questions for students becomes, how do I know which program and university is going to best prepare me for the demands of the field and employers? When considering cyber security degree programs, students should look closely at the curriculum. One of the most important components of a cyber security program is hands-on, applied learning. Without it, many employers won’t even consider an applicant, even if they have a master’s degree in cyber security. It is also wise to look at the faculty in the program being considered.
Are the faculty currently working in the field? Do they have a deep background in the cyber security subject areas that are of interest to the student? Faculty that are active in the cyber security field are best equipped to offer students the modern skills they need today. A degree that mixes theory with applied hands-on learning teaches lifelong learning skills; when taught by current practitioners and experts in the field, it will best prepare students for jobs upon graduation.
In addition to universities overhauling their programs and introducing new cyber security degrees, the private sector and the government are looking to play their part to encourage aspiring professionals to further their education and consider a career in cyber security. In 2016, CISCO launched its Global Cybersecurity Scholarship program, offering free training, mentoring and testing to help close the skills gap.
The federal government launched the CyberCorps®: Scholarship For Service (SFS) program that provides education funding in exchange for work upon graduation. To encourage more women to enter the field, Raytheon announced it would be offering six scholarships for women to pursue cyber security degrees. A number of groups such as The Women’s Society of Cyberjutsu and The Women in Cyber Security Initiative have formed with the goal of getting girls and women excited about a career in information security. With the massive cyber security talent shortage posing a real and growing threat, more is being done to encourage people to pursue a career in the field.
However, with so many jobs unfilled, rapid technological advances and our society’s increasing reliance on that technology—coupled with the increasing sophistication of cyber crime—closing the cyber security skills gap is no small feat. All evidence suggests that education is a crucial component.
About the Author:
Patricia De Saracho is a Senior Marketing Manager with the University of San Diego where she supports several graduate degree programs including the Master of Science in Cyber Security Operations and Leadership (MS-CSOL) and the Master of Science in Cyber Security Engineering. Patricia is passionate about education and the role it can play in affecting positive change. You can connect with the University of San Diego's cyber security programs on Twitter and Facebook.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.
