The growing cybersecurity skills gap makes recruiting and retaining personnel with the prerequisite expertise needed to safeguard critical systems and sensitive information increasingly difficult for both the public and private sectors.
A recent study conducted by consulting firm Frost & Sullivan on behalf of (ISC)2 estimated that the number of security professionals was around 2.25 million globally in 2013, but market indicators show the need for as many as 4.25 million security professionals by 2017, representing the potential for a 47% shortage in qualified personnel.
“The 2013 (ISC)2 Global Information Workforce Study (PDF) found an ever widening gap between the supply of qualified information security professionals and the demand for skilled workers to secure critical information and the cyber world,” the report states.
“The study shows that the workforce will grow at a compound annual growth rate of 11.3% globally between now and 2017, calling for an additional 2.0 million new workers.”
The shortage of skilled security pros has created a fiercely competitive marketplace for qualified personnel – something that may be good for job security and compensation, but is quite bad for organizations seeking to protect sensitive data.
The study found that 56% of respondents believe their organization does not have enough security professionals to manage current threat threat levels,and the future looks somewhat bleak as adversaries hone their techniques and advanced evasion techniques become more prominent.
The report also found that about 35% of respondents are actively seeking to hire more security personnel but are finding it increasingly difficult to recruit employees with the needed expertise and experience, and noted that demand for information security professionals increased 3.5 times faster than did the demand for other IT specialists over the last five year period, and that job postings in the U.S. increased 73% for infosec, in stark contrast to the 6% average for all jobs.
The lack of available talent is even more of an issue for the public sector where compensation tends to be less competitive than in the private sector, and even more so when it comes to the military. Secretary of Defense Chuck Hagel said in a recent speech that the Department of Defense is working to build a cyber force numbering in the thousands over the next few years.
“In 2016, [the DoD’s] force should number over 6,000 professionals… To accomplish this goal, we are recruiting talent from everywhere. But we’re also encouraging people already here in the military, in DOD, to develop… cyber skills,” Hagel said.
“America has always adapted to new threats. But today, a networked world — a world in which oceans are crossed at the speed of light—presents challenges to American security that our nation has never before confronted.”
Jane Lute, former DHS Deputy Secretary and current President and CEO of the Council on Cyber Security, says part of the problem is that too much effort and resources are being wasted in trying to organize every IT function under the cybersecurity umbrella, when exactly the reverse is needed.
Lute noted that cybersecurity responsibilities must instead be clearly assigned for every stakeholder in an organization’s ecosystem — be they end users, systems administrators, data managers, or security specialists.
“Professionalizing cybersecurity is overdue, and those who say that we must first wait until the field stabilizes are far off the mark,” Lute said.
“The fact of the matter is, this country does not yet have, in the number it needs, cybersecurity specialists with the most sophisticated skills and capabilities, and this situation must change quickly and in a way that allows all of us to have confidence in the skills and competencies of professionals in this field.”
The cybersecurity skills gap will ultimately force organizations in both the public and private sector to increasingly be in competition with one another to recruit and retain the best talent, creating an exceptional opportunity for those in the position to capitalize on it.
- One Big Threat to Cyber Security: IT Geeks Can’t Talk to Management
- Poaching Security Talent is Expensive and Not Sustainable
- Developing Your Cyber Intelligence Analyst Skills
- The Parallel Evolution of IT and Risk Management
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock