Filling the Cybersecurity Gap

Wesley W. Simpson


December 1, 2016

cybersecurity talent gap

It is clear that organizations are increasingly placing their networks and IT systems at risk due to the ever-growing “cybersecurity gap.” A lack of trained and available information security talent is leaving businesses shorthanded, positioning them as likely targets for adversaries looking to compromise operations or steal private and proprietary data.

The recent (ISC)2 Global Information Security Workplace Study illustrates this issue in stark detail. The report projects that the global information security workforce shortfall will reach 1.5 million workers in five years. The nearly 14,000 qualified information security professionals who took part in the study are already struggling with this: Only half believe their organization is capable of sufficiently discovering and recovering from a breach. As a result, only one-fifth indicate that they can complete remediation after a system or data compromise within a day (down from 33% in 2011).

Other findings reveal additional, troubling developments:

  • With an insufficient pool of available, suitable job candidates, 62% of respondents say that their organization has too few information security professionals, up from 56% in 2013.

  • Two-thirds are concerned about security technology “sprawl”—a significant increase in the number of tech products, vendors and management consoles, leaving 64% of respondents saying they face challenges in training in-house security personnel to “cover all of our technologies.”

  • Cybersecurity as a vocation continues to “go gray,” with fewer young people taking this career path. Just 6% of respondents were under age 30, and the average age was 42. More than three out of five are 40 or older.

Education and training remain key, as many organizations are now recognizing. To retain current staffers, 61% of survey respondents said they need to offer training programs, and 59% said their company is willing to cover staffers’ professional security certification expenses. In terms of the most in-demand skills required to respond to the threat landscape over the next three years—and thus critical areas of training focus—respondents ranked risk assessment and management at the top (55%); followed by incident investigation and response (52%); governance, risk management and compliance (48%); analytical skills (42%); and architecture (38%).

Without intense focus on these areas of education and training needs, organizations will expose themselves to risk levels that could prove crippling. Security roles are already getting “pushed onto” non-security IT professionals, leaving some tasks unattended or underperformed.

For decades, science, technology, engineering and math (STEM) education programs have attempted to address shortcomings in technology knowledge, but while STEM has helped boost interest in IT overall, it has not done enough for cybersecurity specifically. In fact, in many cases, cybersecurity is not included as part of the core curriculum for college computer science or computer engineering degree programs.

In addition, only 26% of millennials said that their high school education prepared them to use technology safely, securely, ethically and productively in the workplace, according to research from Raytheon. Three out of five are unaware or unsure of the typical range of responsibilities that are involved in a cybersecurity career, and the same portion never received formal cybersecurity training in school.

Private industry must work with academia to help raise awareness of cybersecurity as a possible vocation. Such education is important for all students because, when it comes to threat awareness, every single user impacts the risk equation for modern enterprises.

Cybersecurity advocates in the public, private and academic worlds must come together to build a bridge for the next generation. There are many efforts ongoing, but they are conducted in a piecemeal fashion, each one communicated in its own nomenclature. Instead of elevating awareness and encouraging careers in the discipline in silos, cybersecurity professionals have to develop a unified platform so young people learn about core best practices as users.

Without the proactive grooming of this generation, the cybersecurity gap will only expand—and raise the risk of devastating breaches to even greater levels.
Wesley W. Simpson is COO of the International Information System Security Certification Consortium, or (ISC)2, an international nonprofit membership association of cyber, information, software and infrastructure security professionals.