Cybersecurity Faces 1.8 Million Worker Shortfall By 2022(ISC)2 report shows the skills shortage is getting worse.
Over the next five years, the number of unfilled cybersecurity jobs will rise to a whopping 1.8 million, a 20% increase from 2015 estimates, according to a new (ISC)2 survey released today.
Driving this widening shortage is not only the often discussed lack of qualified workers but also a greater need to bring in more warm bodies to tackle the rapidly evolving ways that cybercriminals and attackers are launching their nefarious activities, according to the report. It's getting easier for low-tech criminals to get into hacking, thanks to malware-as-a-service operations and crimeware kits.
Another report this week from Cybersecurity Ventures also attributes the immense shortage of cybersecurity workers to the soaring rise in cybercrime, and projected doubling of costs to $6 trillion annually worldwide by 2021. Cybersecurity Ventures is also predicting a much more dire staffing shortfall, with the industry facing a shortage of 3.5 million workers by 2021. While (ISC)2 calculated its data based on a survey of its security pros, CV's report drew from employment data gleaned from media, analysts, job boards, vendors, governments, and other organizations, on job opening data from the past five years.
"For the millions of companies around the globe, this is a real wake-up call," says Ray Rothrock, CEO of RedSeal, in response to the Cybersecurity Ventures data. "But if we can truly understand how our networks are configured and operate, and understand where our vulnerabilities lie, we'll be prepared to better respond to attacks, protect our networks, and prevent a breach - even in the face of a skilled labor shortage crisis."
(ISC)2's Global Information Security Workforce Study, which queried 19,000 cybersecurity professionals worldwide, found 66% of survey respondents feel they do not have enough employees to address the increasing level of threats coming their way. That figure was up from 62% in 2015.
North America had the greatest number of understaffed organizations, with 68% feeling the pressure. Latin America and also the Middle East-Africa followed, with 67% each, respectively.
While North America topped the list of regions with the most understaffed IT departments, in Europe, hiring managers expect to bump up their workforce by 15% or more.
"The forthcoming EU General Data Protection Regulation (GDPR) that was adopted on April 27, 2016, creates challenging data protection requirements for all individuals within the European Union. Consequently, there is heightened awareness throughout the EU about the need for cybersecurity professionals," says David Shearer, CEO of (ISC)2.
He added that the GDPR's compliance deadline of May 25, 2018, is fast approaching and that hiring plans throughout the EU are likely to be accelerated.
Pain Points Pinpointed
Among the various reasons why the cybersecurity labor shortage continues to increase, the issue of finding enough qualified workers topped the list, at 49%.
More than half of respondents in North America cite a lack of qualified workers as the main reason for their shortage of staff, a statistic that at first blush may seem surprising given the number of prestigious colleges and universities that offer IT degrees. Meanwhile, cybersecurity undergraduate programs are still less common than traditional computer science degrees.
"We could be focused on the wrong problem in thinking the dearth of talent within the industry is directly linked to the lack of technical colleges and universities producing STEM graduates," (ISC)2's Shearer says. "It may very well be that we’re not doing a good enough job of making the case to students that cybersecurity can be a rewarding career path from monetary, job stability, and a sense contribution perspectives."
When it comes to the greatest threats that worry IT security professionals, data exposure topped the list for cybersecurity professionals in North America (35%) and the Asia-Pacific region (37%), while hacking was the greatest concern in the Middle East-Africa region (47%). Ransomware loomed largest on the minds of 44% of survey respondents in Latin America and 28% in Europe, according to the (ISC)2 report.
Operations and security management talent is one of the most in demand, with 62% of survey respondents worldwide wishing for more people in those positions, according to the report. The second-most sought-after role was in the incident and threat management and forensics area, at 58%.
Shearer says it's important to keep in mind, however, that there remains a lack of consistent job titles within the international cybersecurity profession.
Solution Under Your Nose?
Despite growing concern there are not enough qualified cybersecurity officials to fill the millions of available IT security jobs, the solution may actually be within arms' reach - literally.
It turns out that 87% of cybersecurity officials worldwide came to the industry from another career, according to the report. And yet, according to Dark Reading's Surviving the IT Security Skills Shortage report, 58% of those surveyed indicated that prior experience defending a similar company or similar data was a key qualification in the hiring process.
While many cybersecurity professionals came from other areas within IT, according to the (ISC)2 report, 30% worldwide launched their cybersecurity career after holding a non-technical role such as in business, accounting, or marketing.
Some organizations point to training and certification as a way to beef up the cybersecurity ranks with non-technical workers, or even IT workers who come from outside of security.
"Training and certification are vitally important to developing skills that today’s cybersecurity professionals need. Looking outside traditional recruitment avenues is another viable solution – looking for those with more non-technical backgrounds," Shearer notes. "Some organizations are establishing developmental paths for entry-level candidates to deal with workforce capacity and succession planning."
Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.
Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio