With the 20 percent rise in security breaches this year, both public and private sector organizations are increasing their cybersecurity budgets. The federal government raised its budget to $19 billion in 2017 from $14 billion in 2016, and J.P. Morgan doubled its budget to $500 million.
Bigger budgets, however, aren’t enough to thwart cyberattacks. Organizations need skilled security professionals that can prevent and detect breaches. The problem is they’re in short supply. More than one million cybersecurity jobs worldwide haven’t been filled — and that number is projected to grow to 1.5 million by 2019. And many security company executives worry that there’s a growing skills gap between black hat hackers and white hat hackers coupled with the increase in the number of serious threat surfaces that place us all at risk.
The shortage is so severe that half of all security professionals receive one or more job solicitations per week, and 25 percent of chief information security officers receive five or more such solicitations. Many cyber workers are receptive to these offers because 44 percent of them report being only “somewhat satisfied” with their current jobs, according to the Enterprise Strategy Group and Information Systems Security Association.
Why aren’t they more satisfied? As many as 65 percent of security professionals surveyed say they lack a career path, and 56 percent cite a lack adequate training, with two-thirds pointing to a lack of funded training as an important factor in leaving an organization.
By way of contrast, the Center for Strategic and International Studies found that the top reasons “cybersecurity ninjas” stay with an employer are:
- 72% – challenging work and employer-funded training
- 67% – flexible hours
- 58% – competitive pay and benefits
- 46% – promotions that don’t require moving into management.
Additionally, cybersecurity ninjas value working alongside skilled peers and earning certifications—with 56 percent holding a Certified Information Systems Security Professional (CISSP). Companies like Citibank received high marks from their cybersecurity employees for providing a work culture that meet these needs.
Root of the problem
However, even organizations that make all the right moves to retain security talent — and use automation technologies to spur productivity — face an uphill battle against increasingly sophisticated attackers, some of whom are well-organized, well-funded foreign governments.
In a recent radio interview Rodney Petersen, head of NIST’s National Initiative for Cybersecurity Education (NICE), said that lasting change begins with the U.S. educational system.
Petersen said it’s not just about training computer science students. It’s about making security part of an interdisciplinary curriculum, starting in elementary school. He gave the example of using basic math (e.g., 64 + 64) to introduce concepts like 64-bit computing and computer memory.
And while teaching security across disciplines, bringing security awareness into the workplace also becomes part of doing business. Additionally, specialized security courses are still needed for computer science students who will deal with security threats on the job and need to understand the larger picture of the security architecture of any organization.
Solutions for growing the cybersecurity workforce
The joint efforts of public and private sector groups are the keys to increasing the number of cybersecurity professionals. There are increasing opportunities for companies to fund students’ education in exchange for their working at those companies after graduation. Universities like Dakota State are already offering degrees and certificates to encourage existing technology professionals in related fields to transition into security.
As head of NICE, Petersen has three main objectives he’s working toward:
- Accelerate learning and skills development. NICE is using apprenticeships and dual high school and associate degrees to train the next generation of cybersecurity workers. Other organizations like the Department of Defense are adopting the ROTC model to train cyber warriors.
- Nurture a diverse learning community. The National Science Foundation and the National Security Agency are sponsoring GenCyber camps to interest underprivileged youth in pursuing cybersecurity degrees. The Department of Labor is also providing grants for cybersecurity certificate programs at community colleges.
- Guide career development and workforce planning. NICE created its Cybersecurity Workforce Framework to create a common language around cybersecurity work. It’s releasing a cybersecurity jobs heat map at its conference on November 1 to help organizations match supply and demand for workers. The heat map is a collaboration with CompTIA and Burning Glass.
These initiatives are positive steps toward closing the skills gap between the good guys and the bad actors. To turn the tide in our favor, we must continue to invest in the training and careers paths of cybersecurity professionals, as well as enhance our own security awareness.
Tuula Fai is the senior marketing director at STEALTHbits. For the past 20 years, she has worked in a variety of roles in the software industry, starting as a developer and implementation engineer before moving into marketing. Having worked with both customer service and human resources clients, she is passionate about safeguarding customer and employee data as part of security initiatives. She can be reached at Tuula.fai@stealthbits.com and on Twitter.