The Cybersecurity Talent Gap

Katherine Heires


March 21, 2018

In the first six months of 2017, more than 900 reported data breaches compromised 1.9 billion data records, according to the Breach Level Index published by digital security provider Gemalto. The same study also showed that in 2017 the number of lost, stolen or compromised records increased by 164% as compared to the same period in 2016, with events such as the release of the ransomware virus WannaCry and the data breach at credit rating agency Equifax, which compromised the personal data of 147.9 million Americans, helping to exacerbate the problem.

With data breaches and hacking incidents becoming all-too-common occurrences, organizations need talented cybersecurity professionals to help them address the threat and ensure that business operations continue unimpeded. The problem is that there are not enough qualified individuals to fill these roles, and this talent gap has many risk experts and industry analysts on high alert.

“The cybersecurity workforce shortage is the single biggest threat to organizations globally and the problem is getting worse not better,” said Stephen C. Morgan, founder of research firm Cybersecurity Ventures. His company predicts there will be 3.5 million unfilled cybersecurity jobs in 2021, up from 1 million in 2014.

The 2017 Global Information Security Workforce Study issued by Frost & Sullivan, in conjunction with the Center for Cyber Safety and Education and (ISC)², predicts a less daunting but still ominous number: By 2022, there will be a shortage of 1.8 million information security workers.

In addition, a 2017 Information Systems Security Association (ISSA) study revealed that security professionals view the cybersecurity skills and talent gap as a leading cause of data breach problems with 31% of those surveyed identifying a lack of adequate training of non-technical employees as a root cause while 22% cite the lack of adequate cybersecurity staff as a major factor. “If we don’t address this situation appropriately, it will present an existential threat to business and other organizations,” said Candy Alexander, a member of the ISSA board.

Industry experts say that while there is growing awareness of the cybersecurity problem, tackling the skills and talent issue will not be easy. “There is no silver bullet or one thing we can do to solve this problem,” said Heather Ricciuto, academic outreach leader at IBM Security.

A key part of the challenge is that the cybersecurity programs at four-year colleges are not graduating enough students to fill the talent gap. One estimate puts the annual number of college graduates at 5,000, while the same time, there are hundreds of thousands of unfilled cybersecurity jobs—approximately 350,000 in 2017.

Experts say one solution is for the industry to aggressively expand its hiring reach, an effort that is currently underway at IBM and at other firms. “What we have done is recognize that not every job in cybersecurity requires a four-year degree and that there are a range of jobs that require different skills,” Riccuito said. “We don’t make a bachelor degree a prerequisite, but we do look at people, for example, with college certificates and military background.”

Another part of the challenge is the nature of cybersecurity work, which makes it difficult to find the right people. “Software engineers learn and know how to build products in a disciplined and organized way,” said Vincent Weafer, vice president at McAfee Labs. Cybersecurity teams, however, require a very different type of thinking. “You need to understand how things break, how an attacker might come after you, how to investigate and you need to utilize a lot of creative, right brain thinking,” he said.

Others call for greater diversity in hiring practices to help expand the pool of qualified candidates. “One of the big problems in the cybersecurity industry is the lack of women in the industry and the same goes for minorities as well,” said Shelley Westman, a principal at EY Advisory focused on cybersecurity. She pointed out that women make out over 50% of college graduates but only 10% of security professionals and that needs to change. “Our clients need to take part in the solution by partnering with universities and assigning mentors and sponsors to employees,” she said, which would encourage all types of individuals to join in the cybersecurity field.

Another solution is for businesses to provide access to training and cross-training on an ongoing basis, to try to bring current employees into the cybersecurity discipline but to also keep employees educated about the fast-changing cybersecurity environment. “Organizations need to provide at least one hour a day of online training to keep cybersecurity professionals up-to-date,” Alexander said.

Ricciuto believes that businesses can also work with schools to help encourage and support cybersecurity training for elementary and high school students to create more awareness of cybersecurity as a career path. “We need to get to the point where young people say ‘I want to be a cybercrime fighter,’” she said.

Allen Parrish, a professor of cyber science at the U.S. Naval Academy, said while he welcomes industry support of cybersecurity training, he hopes that it will not be limited to current industry needs. “If you only look at what employers want now, you will get a program that simply teaches to the needs of today.” He fears this strategy could offer far less academic rigor.

One partnership program that appears to be working reaches out to a broad range of students, schools and businesses. The Cybersecurity Workforce Alliance was founded by Frank C. Cicio, a serial software entrepreneur. Three years ago, he became aware of the gap issue and launched what he calls a “virtual apprenticeship program” that brings 730 industry professionals to classrooms via computer to help get young people excited and involved in cybersecurity training. “It’s a multidisciplinary training program that is not just about coding but also policy issues, compliance, risk and security awareness,” Cicio said.

Through his latest software venture,, the program also helps students learn about the 40-plus job categories in cybersecurity and gain an understanding of their skill set strengths.  The IQ4 platform can also be used within companies to benchmark employees’ cybersecurity skills. “Our goal is to work with 100,000 students over the next three years,” he said.

According to Weafer, businesses can take action in the following ways:

  • Partner both with universities and high schools to work to build up the pipeline of security professionals and potential hires through internships.

  • Provide continuous training for new and old hires. “The nature of cyberattacks change all the time so the model of continuous training is absolutely required,” he said.

  • Assign people on a cybersecurity team who can train others and function as a mentor or find someone outside your firm who can perform his function.

  • Get involved in industry alliances such as the Cyber Threat Alliance to share security intelligence and work smarter with the team.

  • Reduce the workload for cybersecurity teams by utilizing artificial intelligence and machine learning or other technologies to scale the job better, allowing employees to do more on the job.

Another key ingredient is bringing management into the fold, to support such efforts, both financially and verbally. “Executives are coming to terms with the issue, but we have a substantial way to go,” said Dr. Emma Garrison-Alexander, vice dean and professor at the University of Maryland’s University College Cybersecurity Program.

Finally, companies need to continue to push forward. “We have to be relentless in solving the cybersecurity talent shortage as the problem is not going to go away anytime soon,” Ricciuto said. “Although all the new technologies around us are making our lives so much easier, they are also presenting a lot more risk that needs to be managed.”
Katherine Heires is a freelance business journalist and founder of MediaKat LLC.