Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

10:30 AM
Shelley Westman
Shelley Westman
Connect Directly
E-Mail vvv

Bridging the Cybersecurity Talent Gap

There's no one surefire way of fixing the problem, which endangers everyone's security. There are, however, several options we should try.

Three and a half million. That's how many unfilled cybersecurity jobs there are expected to be by 2021 —  more than the entire population of Iowa — according to Cybersecurity Ventures. It's also up from 1 million in 2016, a 250% increase in five years, at a time when cybersecurity is becoming even more vital to protecting our way of life.

The industry has been talking about this talent gap for some time, but the speed at which the problem is growing is startling. And unless we do something to address the issue, things will keep getting worse, putting not only the future of the cybersecurity industry at risk but jeopardizing the safety of millions of individuals, businesses, and institutions worldwide.

To cure the problem, we must first understand the root cause. Visibility isn't the issue — from data protection at Facebook to growing concerns about a new cyber Cold War with Russia, the cybersecurity field has never had a higher profile. And salary can't be the issue, either — after all, this is an industry where the average annual paycheck is $116,000, roughly three times the national median income for full-time workers and around double what a high school teacher might expect to take home each year.

So, now is the time for us to think outside the box and inspire a new, unprecedented generation of cybersecurity professionals to step forward. And while there is no one sure way of doing so, the good news is that there are plenty of options.

A great place to start is with educating teachers and career guidance counselors about careers in cybersecurity. After all, for many of them, the field simply didn't exist when they were in school. And if they don't know what the job entails, how can they inspire young people to consider it? Government initiatives like the Department of Homeland Security's free cybersecurity lesson plans for teachers can make a big difference, especially if replicated and scaled up with the help of private sector partners.

There's also some work to do on our industry's image problem. Far from its reputation as a geeky, siloed, and solely quantitative field, cybersecurity is an interesting, diverse, and — dare I say — sexy career. Highlighting the excitement that comes with a cybersecurity career can help attract people to the industry and reinvent the archetypal image of someone who is a "fit" for it. Cybersecurity requires creativity and collaboration skills as much as coding capabilities. Highlighting the wide range of skills needed could spark a new wave of college graduates from multiple degree disciplines to get into the field. And not just graduates but people currently working in different fields — including sales, client services, and marketing — all of whom possess valuable, transferable skills.

But if a major part of the solution to the talent gap lies with looking beyond traditional recruitment demographics, there is one group deserving particular attention: women. Right now, women represent more than 50% of college graduates in the US but only 10% of cybersecurity professionals. I have lost count of the number of industry conferences and events I've attended as an almost-lone female face.

As an industry, we could undoubtedly be doing a lot more to encourage women to join us. From challenging unconscious bias in recruitment to sponsoring cybersecurity-related events for girls in middle school, we need a system that educates and encourages women to consider careers in cybersecurity from an early age and supports them in pursuing it during adulthood.

Of course, I recognize my own role in this, too. Like my female peers across the industry, it's my duty to be a vocal and active role model in inspiring young women and their parents about the opportunities and benefits of the job I love. I'd like to see more companies follow the example of the place where I work, EY, which sponsors the US Entrepreneur of the Year Awards. Like 2017's technology category winner, Phyllis Newhouse, CEO of cybersecurity firm Xtreme Solutions, programs like this one can help unlock the talent we need to steer our industry — and others —into the future.

Closing the talent gap is, after all, about the future. As this transformative age continues to digitize the world and move life more online, we need an increasingly eclectic mix of the brightest and best minds, like Newhouse, to stay one step ahead of hackers and cybercriminals who are getting smarter, more determined, and more diverse all the time. 

The current — and growing — talent gap in cybersecurity puts all of us, along with our information, at risk. Unless we act now to close it, the gap itself may well be the least of our worries.

Related Content:

Shelley Westman is currently a Principal/Partner at EY in its Cybersecurity practice, where she has been since joining EY in September 2017. Prior to EY, Shelley served as Senior Vice President, Alliances & Field Operations at Protegrity, where she stayed for about a year. ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/1/2018 | 7:12:25 AM
Gender and "soft" skills
Yes a low percentage of students on our MSc in Digital Investigation and Forensic Computing are female but it is improving. Employers are requesting me to refer only female candidates in an atempt to redress their gender imbalance in security roles. Ref the commnet "Cybersecurity requires creativity and collaboration skills as much as coding capabilities" this is very true and those who graduate and progress into management roels are the ones who have or are willing to develop these skills.
User Rank: Ninja
5/30/2018 | 10:32:50 AM
Re: Management Attitude to IT
Agree - management does not separate (sometimes) the core IT functions of the business from the half-brother CyberSecurity side of the It world.  Two separate entities really connected together by function and form.  Cyber has REAL VALUE while running the data center is less quantifiable.   Management with insight (and I work for one such place) vlaues Cyber and can get benefit such as insurance costs covered.   We ADD VALUE. 
User Rank: Ninja
5/29/2018 | 12:54:10 PM
Re: Management Attitude to IT
As far as outsourcing of positions goes that is a risk for a majority of fields you can study going into school. I would make an argument that there are actually very few fields NOT at risk of automation/outsourcing. I think this puts individuals at more of a level playing field for making a determination. 

I do understand your point towards an expense line item. Cyber Security is a cost-saving platform instead of a revenue producing platform. That's not to say that the direct cost savings can not be quantified to the business, it would just take a mature program to provide metrics around security safeguards. For example, what was the average cost of a lost data record in that respective industry sector? Take that and multiply it by the number of DLP incidents blocked and you can quantify one cost savings potential for security. Another cost would be indirect costs. They can not so easily be quantified but brand reputation is a major item that can utilize trending to provide the business with an accurate view of what impact a cyber security incident/breach can have. "Mature program": many organizations lack is this area. Some of which due to the issue this article denotes.

As for the Equifax statement. I had not heard that one, but if such a claim was to be made it would definitely would have been done out of ignorance. If you have one individual in charge of patching and cannot allude to a platform for this mechanism you will have no leg to stand on. 
User Rank: Ninja
5/29/2018 | 7:13:25 AM
Management Attitude to IT
Has not changed over the years - the CSuite still believes IT just an expense line item with overpaid geeks making good money doing nothing and getting benefits.  Outsource is still a financial mandate so jobs go lacking and transferred to Bangalore or outsource to IBM or DCX or whatever.  Given this, why should any new grad go INTO a field where your job is automatically AT RISK just because of your existance!!!   And this involves security too.  Look at the dumb statement by former Equifax CEO who blamed the whole ENTIRE mess on just ONE individual who failed to patch.  Incredible ignorance.   If you expect intelligence there, you won't find it.  So management does not give a darn and positions go wanting.   
User Rank: Apprentice
5/28/2018 | 6:33:43 PM
Hmm, massive shortage...
So let's examine this claim that there is a critical shortage of Cybersecurity talent. If there were a tenth of the shortage that has been claimed in this article, one would expect to see increasing salaries for talent across the country. I don't think that should be a fantastic inference based on the "more than the entire population of Iowa" scale of this so called shortage.

It is interesting that when you go to websites like payscale.com (and others), that shortage doesn't seem to reflect salary trends in the industry. For example, according to the previously mentioned website, salaries for Cybersecurity analysts in Dallas have DECLINED 40% over the past three years! Other cities show similar trends. Nothing that indicates anything that resembles a shortage of talent.

Of course anyone over the age of thirty has seen this kind of hysteria before. And, as sure as the sun rises, we will soon hear the demands for massive increases in foreign work visas because " we just don't have enough people to do these jobs".

Fool me once, shame on you; fool me twice, shame on me.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...