Just this year, several high-profile cyber breaches exposed confidential information and resulted in millions of dollars in damages. Cybersecurity is more important than ever — a big problem for employers facing millions of unfilled cybersecurity positions and a shortage of talented workers.
As for the exact number of openings, the estimates vary — but none of them look good. There may be as many as 3.5 million unfilled cybersecurity positions by 2021.
As a result, cybersecurity professionals currently in the field are facing serious pressure and long working hours. At cybersecurity conferences, it's not uncommon to see entire tracks about managing mental health, addiction, and work stress. A kind of feedback loop may be forming — one where skilled professionals under major pressure burn out and leave the field, putting more strain on the workers that remain. The cycle continues, pushing talent out of cybersecurity and further widening the skills gap.
Some experts go further and call the gap a crisis, though it's not clear we've hit that level yet.
Employers are looking at different ways to handle this — by broadening the talent pool and by investing in tools that take the pressure off their cybersecurity workers.
When asked about the skills their organization is most likely to be missing, cybersecurity nearly always tops the list.
In a survey conducted by ESG this year, 53% of organizations reported they were facing a cybersecurity shortage. This is 10% more than in 2016. In every survey between this year and 2016, the number has only trended up.
There are other ways to look at the gap — by worker hours or by the total number of positions unfilled — but there's only one real conclusion to draw from the data. There aren't enough cybersecurity workers, and every year the skills gap grows worse. Despite pushes for better education and the increasing importance of cybersecurity, there are no signs it's closing or will begin to close in 2020.
The why of the skills gap is unclear. The number of graduates from cybersecurity programs is increasing. At the same time, the cost and frequency of cyberattacks are also rising. It may be that schools can't keep up with the growing levels of cybercrime and the needs of companies, especially in the wake of the past few years of high-profile breaches.
One possible reason for the skills gap may be that employers are looking for very specific candidates.
Cybersecurity can be a difficult field to break into if you don't have the resources to become credentialed. Even prospective candidates with ideal skill sets — experience with security and penetration testing, communication and teamwork skills, and the ability to train nontechnical staff — can be filtered out by automatic resume screening programs. These may be looking for specific job titles, certificates, and degrees.
If a resume doesn't pass the keyword filter, the hiring team may never get a chance to read it at all.
There are two possible solutions to this problem.
The first is to build a better talent pipeline — one that starts at the university or high school level. Employers may join with universities to sponsor programs that encourage or incentivize students to pick up technical certificates or switch their major to cybersecurity or a related field. The high worth of cybersecurity professionals and the strong value of cybersecurity degrees may encourage schools to invest in these programs, taking some of the pressure off employers.
This solution isn't universally popular. Some experts argue that cybersecurity training doesn't reflect the field — and that a classroom may never provide the right kind of experience.
The second solution is to broaden the talent pool by making it easier for talented professionals to break into cybersecurity. Hiring teams may relax requirements for entry-level positions, and companies may develop training programs that are designed to help other security experts learn about the field. This doesn't mean companies will begin hiring nontechnical staff. Rather, they'll start looking for skilled individuals with unconventional skill sets and a technical background that they can be quickly brought up to speed — like veterans with security or technology training.
It's not clear if employers will take the training approach, however. While business leaders find cybersecurity more important every year, companies can be resistant to spending more on employee training. These expenditures increased in 2017 but declined last year.
Many new companies are developing AI antiviruses, anti-phishing tools and other cybersecurity platforms that may reduce the amount of labor needed from cybersecurity workers.
While AI is quite effective at pattern-finding and could be useful for cybersecurity workers, the tech isn't guaranteed to be helpful. Some of these antiviruses are susceptible to adversarial attacks. One popular AI-powered antivirus was defeated with just a few lines of text appended to some of the most dangerous malware out there.
Many cybersecurity experts are skeptical of AI tech in general and don't seem fully committed to the idea of a field where cybersecurity workers rely on these tools.
Companies may continue to invest in AI cybersecurity technology because there doesn't seem to be many other short-term solutions to the widening skill gap. Depending on how effective these technologies are, they may help reduce the number of cybersecurity openings that need to be filled.
Employers and cybersecurity professionals are facing a major shortage of skilled workers. At the same time, both the public and private sectors are dealing with a new wave of cyberattacks that put confidential information and critical systems at risk.
There are no signs yet that the cybersecurity skills gap will begin to close in 2020. Employers and training programs are looking for ways to bring new professionals into the field and expand the talent pipeline. At the same time, companies are investing in AI technology that may take some pressure off current cybersecurity workers.
Not all cybersecurity experts place their full faith in this technology, but some solutions will be necessary to reduce the pressure of the growing skill gap.
Kayla Matthews writes about big data, cybersecurity, and technology. You can find her work on The Week, Information Age, KDnuggets and CloudTweaks, or over at ProductivityBytes.com.
How will AI impact job roles in Cybersecurity
7 Black Hat USA 2018 conference cybersecurity training highlights: Hardware attacks, IO campaigns, Threat Hunting, Fuzzing, and more.
UK’s NCSC report reveals significant ransomware, phishing, and supply chain threats to businesses