Careers & People

5/25/2018
10:30 AM
Shelley Westman
Shelley Westman
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Bridging the Cybersecurity Talent Gap

There's no one surefire way of fixing the problem, which endangers everyone's security. There are, however, several options we should try.

Three and a half million. That's how many unfilled cybersecurity jobs there are expected to be by 2021 —  more than the entire population of Iowa — according to Cybersecurity Ventures. It's also up from 1 million in 2016, a 250% increase in five years, at a time when cybersecurity is becoming even more vital to protecting our way of life.

The industry has been talking about this talent gap for some time, but the speed at which the problem is growing is startling. And unless we do something to address the issue, things will keep getting worse, putting not only the future of the cybersecurity industry at risk but jeopardizing the safety of millions of individuals, businesses, and institutions worldwide.

To cure the problem, we must first understand the root cause. Visibility isn't the issue — from data protection at Facebook to growing concerns about a new cyber Cold War with Russia, the cybersecurity field has never had a higher profile. And salary can't be the issue, either — after all, this is an industry where the average annual paycheck is $116,000, roughly three times the national median income for full-time workers and around double what a high school teacher might expect to take home each year.

So, now is the time for us to think outside the box and inspire a new, unprecedented generation of cybersecurity professionals to step forward. And while there is no one sure way of doing so, the good news is that there are plenty of options.

A great place to start is with educating teachers and career guidance counselors about careers in cybersecurity. After all, for many of them, the field simply didn't exist when they were in school. And if they don't know what the job entails, how can they inspire young people to consider it? Government initiatives like the Department of Homeland Security's free cybersecurity lesson plans for teachers can make a big difference, especially if replicated and scaled up with the help of private sector partners.

There's also some work to do on our industry's image problem. Far from its reputation as a geeky, siloed, and solely quantitative field, cybersecurity is an interesting, diverse, and — dare I say — sexy career. Highlighting the excitement that comes with a cybersecurity career can help attract people to the industry and reinvent the archetypal image of someone who is a "fit" for it. Cybersecurity requires creativity and collaboration skills as much as coding capabilities. Highlighting the wide range of skills needed could spark a new wave of college graduates from multiple degree disciplines to get into the field. And not just graduates but people currently working in different fields — including sales, client services, and marketing — all of whom possess valuable, transferable skills.

But if a major part of the solution to the talent gap lies with looking beyond traditional recruitment demographics, there is one group deserving particular attention: women. Right now, women represent more than 50% of college graduates in the US but only 10% of cybersecurity professionals. I have lost count of the number of industry conferences and events I've attended as an almost-lone female face.

As an industry, we could undoubtedly be doing a lot more to encourage women to join us. From challenging unconscious bias in recruitment to sponsoring cybersecurity-related events for girls in middle school, we need a system that educates and encourages women to consider careers in cybersecurity from an early age and supports them in pursuing it during adulthood.

Of course, I recognize my own role in this, too. Like my female peers across the industry, it's my duty to be a vocal and active role model in inspiring young women and their parents about the opportunities and benefits of the job I love. I'd like to see more companies follow the example of the place where I work, EY, which sponsors the US Entrepreneur of the Year Awards. Like 2017's technology category winner, Phyllis Newhouse, CEO of cybersecurity firm Xtreme Solutions, programs like this one can help unlock the talent we need to steer our industry — and others —into the future.

Closing the talent gap is, after all, about the future. As this transformative age continues to digitize the world and move life more online, we need an increasingly eclectic mix of the brightest and best minds, like Newhouse, to stay one step ahead of hackers and cybercriminals who are getting smarter, more determined, and more diverse all the time. 

The current — and growing — talent gap in cybersecurity puts all of us, along with our information, at risk. Unless we act now to close it, the gap itself may well be the least of our worries.

Related Content:

Shelley Westman is currently a Principal/Partner at EY in its Cybersecurity practice, where she has been since joining EY in September 2017. Prior to EY, Shelley served as Senior Vice President, Alliances & Field Operations at Protegrity, where she stayed for about a year. ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
rupertbowen
50%
50%
rupertbowen,
User Rank: Apprentice
6/1/2018 | 7:12:25 AM
Gender and "soft" skills
Yes a low percentage of students on our MSc in Digital Investigation and Forensic Computing are female but it is improving. Employers are requesting me to refer only female candidates in an atempt to redress their gender imbalance in security roles. Ref the commnet "Cybersecurity requires creativity and collaboration skills as much as coding capabilities" this is very true and those who graduate and progress into management roels are the ones who have or are willing to develop these skills.
REISEN1955
0%
100%
REISEN1955,
User Rank: Ninja
5/30/2018 | 10:32:50 AM
Re: Management Attitude to IT
Agree - management does not separate (sometimes) the core IT functions of the business from the half-brother CyberSecurity side of the It world.  Two separate entities really connected together by function and form.  Cyber has REAL VALUE while running the data center is less quantifiable.   Management with insight (and I work for one such place) vlaues Cyber and can get benefit such as insurance costs covered.   We ADD VALUE. 
RyanSepe
0%
100%
RyanSepe,
User Rank: Ninja
5/29/2018 | 12:54:10 PM
Re: Management Attitude to IT
As far as outsourcing of positions goes that is a risk for a majority of fields you can study going into school. I would make an argument that there are actually very few fields NOT at risk of automation/outsourcing. I think this puts individuals at more of a level playing field for making a determination. 

I do understand your point towards an expense line item. Cyber Security is a cost-saving platform instead of a revenue producing platform. That's not to say that the direct cost savings can not be quantified to the business, it would just take a mature program to provide metrics around security safeguards. For example, what was the average cost of a lost data record in that respective industry sector? Take that and multiply it by the number of DLP incidents blocked and you can quantify one cost savings potential for security. Another cost would be indirect costs. They can not so easily be quantified but brand reputation is a major item that can utilize trending to provide the business with an accurate view of what impact a cyber security incident/breach can have. "Mature program": many organizations lack is this area. Some of which due to the issue this article denotes.

As for the Equifax statement. I had not heard that one, but if such a claim was to be made it would definitely would have been done out of ignorance. If you have one individual in charge of patching and cannot allude to a platform for this mechanism you will have no leg to stand on. 
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
5/29/2018 | 7:13:25 AM
Management Attitude to IT
Has not changed over the years - the CSuite still believes IT just an expense line item with overpaid geeks making good money doing nothing and getting benefits.  Outsource is still a financial mandate so jobs go lacking and transferred to Bangalore or outsource to IBM or DCX or whatever.  Given this, why should any new grad go INTO a field where your job is automatically AT RISK just because of your existance!!!   And this involves security too.  Look at the dumb statement by former Equifax CEO who blamed the whole ENTIRE mess on just ONE individual who failed to patch.  Incredible ignorance.   If you expect intelligence there, you won't find it.  So management does not give a darn and positions go wanting.   
dtdavis
100%
0%
dtdavis,
User Rank: Apprentice
5/28/2018 | 6:33:43 PM
Hmm, massive shortage...
So let's examine this claim that there is a critical shortage of Cybersecurity talent. If there were a tenth of the shortage that has been claimed in this article, one would expect to see increasing salaries for talent across the country. I don't think that should be a fantastic inference based on the "more than the entire population of Iowa" scale of this so called shortage.

It is interesting that when you go to websites like payscale.com (and others), that shortage doesn't seem to reflect salary trends in the industry. For example, according to the previously mentioned website, salaries for Cybersecurity analysts in Dallas have DECLINED 40% over the past three years! Other cities show similar trends. Nothing that indicates anything that resembles a shortage of talent.

Of course anyone over the age of thirty has seen this kind of hysteria before. And, as sure as the sun rises, we will soon hear the demands for massive increases in foreign work visas because " we just don't have enough people to do these jobs".

Fool me once, shame on you; fool me twice, shame on me.
Microsoft Fixes 11 Critical, 39 Important Vulns
Kelly Sheridan, Staff Editor, Dark Reading,  6/12/2018
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Cisco Talos Summit: Network Defenders Not Serious Enough About Attacks
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12580
PUBLISHED: 2018-06-19
library/DBTech/Security/Action/Sessions.php in DragonByte vBSecurity 3.x through 3.3.0 for vBulletin 3 and vBulletin 4 allows self-XSS via $session['user_agent'] in the "Login Sessions" feature.
CVE-2018-12578
PUBLISHED: 2018-06-19
There is a heap-based buffer overflow in bmp_compress1_row in appliers.cpp in sam2p 0.49.4 that leads to a denial of service or possibly unspecified other impact.
CVE-2018-1061
PUBLISHED: 2018-06-19
python before versions 2.7.15, 3.4.9, 3.5.6 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.
CVE-2018-1073
PUBLISHED: 2018-06-19
The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user accounts.
CVE-2018-12557
PUBLISHED: 2018-06-19
An issue was discovered in Zuul 3.x before 3.1.0. If nodes become offline during the build, the no_log attribute of a task is ignored. If the unreachable error occurred in a task used with a loop variable (e.g., with_items), the contents of the loop items would be printed in the console. This could ...