Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

10:30 AM
Shelley Westman
Shelley Westman
Connect Directly
E-Mail vvv

Bridging the Cybersecurity Talent Gap

There's no one surefire way of fixing the problem, which endangers everyone's security. There are, however, several options we should try.

Three and a half million. That's how many unfilled cybersecurity jobs there are expected to be by 2021 —  more than the entire population of Iowa — according to Cybersecurity Ventures. It's also up from 1 million in 2016, a 250% increase in five years, at a time when cybersecurity is becoming even more vital to protecting our way of life.

The industry has been talking about this talent gap for some time, but the speed at which the problem is growing is startling. And unless we do something to address the issue, things will keep getting worse, putting not only the future of the cybersecurity industry at risk but jeopardizing the safety of millions of individuals, businesses, and institutions worldwide.

To cure the problem, we must first understand the root cause. Visibility isn't the issue — from data protection at Facebook to growing concerns about a new cyber Cold War with Russia, the cybersecurity field has never had a higher profile. And salary can't be the issue, either — after all, this is an industry where the average annual paycheck is $116,000, roughly three times the national median income for full-time workers and around double what a high school teacher might expect to take home each year.

So, now is the time for us to think outside the box and inspire a new, unprecedented generation of cybersecurity professionals to step forward. And while there is no one sure way of doing so, the good news is that there are plenty of options.

A great place to start is with educating teachers and career guidance counselors about careers in cybersecurity. After all, for many of them, the field simply didn't exist when they were in school. And if they don't know what the job entails, how can they inspire young people to consider it? Government initiatives like the Department of Homeland Security's free cybersecurity lesson plans for teachers can make a big difference, especially if replicated and scaled up with the help of private sector partners.

There's also some work to do on our industry's image problem. Far from its reputation as a geeky, siloed, and solely quantitative field, cybersecurity is an interesting, diverse, and — dare I say — sexy career. Highlighting the excitement that comes with a cybersecurity career can help attract people to the industry and reinvent the archetypal image of someone who is a "fit" for it. Cybersecurity requires creativity and collaboration skills as much as coding capabilities. Highlighting the wide range of skills needed could spark a new wave of college graduates from multiple degree disciplines to get into the field. And not just graduates but people currently working in different fields — including sales, client services, and marketing — all of whom possess valuable, transferable skills.

But if a major part of the solution to the talent gap lies with looking beyond traditional recruitment demographics, there is one group deserving particular attention: women. Right now, women represent more than 50% of college graduates in the US but only 10% of cybersecurity professionals. I have lost count of the number of industry conferences and events I've attended as an almost-lone female face.

As an industry, we could undoubtedly be doing a lot more to encourage women to join us. From challenging unconscious bias in recruitment to sponsoring cybersecurity-related events for girls in middle school, we need a system that educates and encourages women to consider careers in cybersecurity from an early age and supports them in pursuing it during adulthood.

Of course, I recognize my own role in this, too. Like my female peers across the industry, it's my duty to be a vocal and active role model in inspiring young women and their parents about the opportunities and benefits of the job I love. I'd like to see more companies follow the example of the place where I work, EY, which sponsors the US Entrepreneur of the Year Awards. Like 2017's technology category winner, Phyllis Newhouse, CEO of cybersecurity firm Xtreme Solutions, programs like this one can help unlock the talent we need to steer our industry — and others —into the future.

Closing the talent gap is, after all, about the future. As this transformative age continues to digitize the world and move life more online, we need an increasingly eclectic mix of the brightest and best minds, like Newhouse, to stay one step ahead of hackers and cybercriminals who are getting smarter, more determined, and more diverse all the time. 

The current — and growing — talent gap in cybersecurity puts all of us, along with our information, at risk. Unless we act now to close it, the gap itself may well be the least of our worries.

Related Content:

Shelley Westman is currently a Principal/Partner at EY in its Cybersecurity practice, where she has been since joining EY in September 2017. Prior to EY, Shelley served as Senior Vice President, Alliances & Field Operations at Protegrity, where she stayed for about a year. ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/1/2018 | 7:12:25 AM
Gender and "soft" skills
Yes a low percentage of students on our MSc in Digital Investigation and Forensic Computing are female but it is improving. Employers are requesting me to refer only female candidates in an atempt to redress their gender imbalance in security roles. Ref the commnet "Cybersecurity requires creativity and collaboration skills as much as coding capabilities" this is very true and those who graduate and progress into management roels are the ones who have or are willing to develop these skills.
User Rank: Ninja
5/30/2018 | 10:32:50 AM
Re: Management Attitude to IT
Agree - management does not separate (sometimes) the core IT functions of the business from the half-brother CyberSecurity side of the It world.  Two separate entities really connected together by function and form.  Cyber has REAL VALUE while running the data center is less quantifiable.   Management with insight (and I work for one such place) vlaues Cyber and can get benefit such as insurance costs covered.   We ADD VALUE. 
User Rank: Ninja
5/29/2018 | 12:54:10 PM
Re: Management Attitude to IT
As far as outsourcing of positions goes that is a risk for a majority of fields you can study going into school. I would make an argument that there are actually very few fields NOT at risk of automation/outsourcing. I think this puts individuals at more of a level playing field for making a determination. 

I do understand your point towards an expense line item. Cyber Security is a cost-saving platform instead of a revenue producing platform. That's not to say that the direct cost savings can not be quantified to the business, it would just take a mature program to provide metrics around security safeguards. For example, what was the average cost of a lost data record in that respective industry sector? Take that and multiply it by the number of DLP incidents blocked and you can quantify one cost savings potential for security. Another cost would be indirect costs. They can not so easily be quantified but brand reputation is a major item that can utilize trending to provide the business with an accurate view of what impact a cyber security incident/breach can have. "Mature program": many organizations lack is this area. Some of which due to the issue this article denotes.

As for the Equifax statement. I had not heard that one, but if such a claim was to be made it would definitely would have been done out of ignorance. If you have one individual in charge of patching and cannot allude to a platform for this mechanism you will have no leg to stand on. 
User Rank: Ninja
5/29/2018 | 7:13:25 AM
Management Attitude to IT
Has not changed over the years - the CSuite still believes IT just an expense line item with overpaid geeks making good money doing nothing and getting benefits.  Outsource is still a financial mandate so jobs go lacking and transferred to Bangalore or outsource to IBM or DCX or whatever.  Given this, why should any new grad go INTO a field where your job is automatically AT RISK just because of your existance!!!   And this involves security too.  Look at the dumb statement by former Equifax CEO who blamed the whole ENTIRE mess on just ONE individual who failed to patch.  Incredible ignorance.   If you expect intelligence there, you won't find it.  So management does not give a darn and positions go wanting.   
User Rank: Apprentice
5/28/2018 | 6:33:43 PM
Hmm, massive shortage...
So let's examine this claim that there is a critical shortage of Cybersecurity talent. If there were a tenth of the shortage that has been claimed in this article, one would expect to see increasing salaries for talent across the country. I don't think that should be a fantastic inference based on the "more than the entire population of Iowa" scale of this so called shortage.

It is interesting that when you go to websites like payscale.com (and others), that shortage doesn't seem to reflect salary trends in the industry. For example, according to the previously mentioned website, salaries for Cybersecurity analysts in Dallas have DECLINED 40% over the past three years! Other cities show similar trends. Nothing that indicates anything that resembles a shortage of talent.

Of course anyone over the age of thirty has seen this kind of hysteria before. And, as sure as the sun rises, we will soon hear the demands for massive increases in foreign work visas because " we just don't have enough people to do these jobs".

Fool me once, shame on you; fool me twice, shame on me.
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...