How serious is the cybersecurity skills gap? The cybersecurity unemployment rate is zero, with over 1 million jobs currently unfilled, a number that is expected to climb to 3.5 million by 2021. One in four respondents to a survey by ISACA’s Cybersecurity Nexus (CSX) reported that it takes their companies six months or longer to “fill priority cybersecurity and information security positions, yet KPMG’s 2017 U.S. CEO Outlook survey found that only 40% of American CEOs feel that their organizations are fully prepared to handle a cyber attack.”
While all organizations are having difficulty finding talent, small and medium-sized enterprises are in a particularly bad position, as they cannot afford the extraordinarily high salaries that qualified cybersecurity specialists command or design and implement zero-based training pipelines to “build their own” talent.
Enterprise networks at risk
The cyber skills gap coincides with a dramatic and ongoing escalation in the frequency, intensity and cost of cyber attacks. Thirty-two percent of organizations reported being victims of cyber crime in 2016, and 72% of CISOs predicted that their companies would be attacked within the next year. The average data breach in the U.S. costs $362 million, or $141 per record, the highest in the world.
As the cyber ecosystem grows more intricate, cyber criminals have more possible attack vectors—and enterprises have more areas to defend, including a growing number of connected devices, cloud computing solutions, and shadow IT applications. Regardless of size or industry vertical, it’s not a question of ‘if’ any given enterprise will be attacked, but ‘when’.
“TECHNOLOGY IS ONLY AS GOOD AS
THE HUMANS DEPLOYING IT.”
The crisis has attracted the attention of federal and local governments. The mayor of New York City recently announced a $30 million initiative to fund cybersecurity training, academic research and development labs with the goal of making the city “the cybersecurity capital of the world.” The Cyber Scholarship Opportunities Act, which is currently moving through the U.S. Senate, would expand the National Science Foundation’s CyberCorps: Scholarship-for-Service program, which funds cybersecurity education for college students who commit to government service after they graduate.
Skilled workers is what’s needed, not “magic technology, to bridge the gap
The New York initiative and the Senate bill are steps in the right direction, but both will take years to produce results, and organizations need help right now.
Although there is much talk of utilizing artificial intelligence and machine learning technologies to make up for a lack of security personnel, there is no such thing as “magic technology” that will take the place of human judgement; any technology is only as good as the humans who are deploying it. Cybersecurity is a human-centric field that requires boots on the ground to man network monitoring stations, detect and evaluate anomalies, and respond to cyber incidents. Security professionals also are needed to ensure compliance with applicable data security standards and train other employees on cybersecurity best practices to prevent them from falling prey to phishing and other social engineering schemes.
This leaves two other options for immediate relief:
Outsource some or all cybersecurity and compliance functions to a managed security services provider (MSSP)
Develop new talent in-house
Outsourcing cybersecurity and compliance to an MSSP offers numerous benefits, including significant cost savings versus having in-house staff, the ability to access a level of expertise that a company may not have in-house, and allowing internal staff to focus on projects that are directly related to the company’s core competency. However, outsourcing is not the right choice for every organization, and many companies need at least some security personnel on their own payroll.
This leaves job training programs, whether in the form of in-house academies, on-the-job-training, paid internship or apprenticeship programs, or some combination of these. Many organizations are eager to train their own talent but have no idea where to begin. CompTIA’s IT Ready program, an eight-week education, training and career placement program that prepares students to pass the CompTIA A+ certification exam, is one example of a highly successful job-training model within the tech industry.
Among the best practices that IT Ready follows are: It is zero-based. Applicants are not required to have any existing IT skills; they are instead selected based on interest, attitude and work ethic.
In addition to reading traditional academic study materials that expand their breadth and depth of knowledge, students are given hands-on experience working with modern and relevant technology while being monitored and mentored by certified IT professionals.
CompTIA works closely with employers to align skills training with actual workforce needs; students are trained on the exact technologies they will be using in job situations.
In addition to hard skills, students are trained on important soft skills such as punctuality, time management, collaboration and teamwork.
As successful as the IT Ready framework has been, it does not currently offer cybersecurity-specific training tracks. The traditional pipeline for candidates moving into cybersecurity has been from computer networking. However, many experts feel that cybersecurity can be a standalone area of expertise, filled by personnel with diverse backgrounds and experience levels.
To address the needs of companies that do not have the in-house resources to set up and run their own job training program, CompTIA is collaborating with its partners to develop programs specifically aimed at addressing the cybersecurity skills shortage. These “cyber academies” will be similar to IT Ready, but instead of training students to sit for the A+ exam, the goal is get real world cybersecurity experience while pursuing a CompTIA Security+ certification.
Some employers may be leery of implementing in-house training, fearing that apprentice cybersecurity workers may wash out or, once trained, be poached by competitors. However, these same risks exist when hiring applicants off the street, and keeping security job openings unfilled for weeks, months or even years is even riskier. How many cyber attacks will your company suffer while waiting for the perfect applicant to walk through the door?