The US Bureau of Labor Statistics predicts "information security analyst" will be the tenth-fastest-growing occupation over the next decade, with an employment growth rate of 31% (compared to the 4% average growth rate for all occupations). So why does the cybersecurity industry struggle to close the years-long gap between the number of job openings and qualified applicants? As a recent college graduate with a computer engineering degree, I know firsthand that companies and government agencies face significant challenges recruiting new grads as well as IT professionals who are considering a career change.
Computer science majors devote most of their time to learning programming languages, building applications, and figuring out how to work along the software development life cycle, while computer engineering majors focus on designing solutions for digital systems and building components. Upon graduation, their career path options may appear straightforward: software developer or engineer. They might believe the only path to a cybersecurity career lies in developing security systems and software for businesses or cybersecurity solutions vendors.
But that's a very limited perspective of the wide range of cybersecurity-related positions organizations are desperate to fill — and have been for the last several years.
Cybersecurity career and workforce resource CyberSeek reports there are 465,000 cybersecurity job openings in the United States, up from nearly 302,000 in its 2017 survey. According to (ISC)2, an international nonprofit that offers cybersecurity training and certification programs, the number of unfilled cybersecurity roles spikes to nearly 3.1 million worldwide.
New Challenges Increase the Urgency to Upskill and Fill Roles
The fact that bad actors continue to become more sophisticated and insidious in their methods exacerbates an already urgent situation. Organizations are constantly bombarded by sophisticated attacks, even as their security teams wrestle with digital transformation initiatives that call on migrating more IT systems from on-premises data centers to the cloud. Enterprises are increasingly deploying workloads across a mix of public and private cloud technologies, and these multicloud and hybrid environments create new challenges that weren't top-of-mind even a few years ago.
"Docker and Kubernetes emerged in 2013 and 2014 respectively, so they had no training or lessons in these specific cloud-native technologies," says my colleague Jake Meloche, a solutions architect with Aqua Security. "With new technologies rapidly developing and constantly changing, colleges can't keep up with the curriculum. Regardless of the type of security role you land, classes will only have taught you so much."
Training, Mentors, and Defined Career Paths Needed
A survey by the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) found many factors behind the skill gap, most notably a lack of training and career-development opportunities. More than two-thirds of the cybersecurity professionals ESG and ISSA surveyed said they do not have a well-defined career path. Therefore, they struggle with completing basic career growth activities such as finding mentors, getting basic cybersecurity certifications, and taking on cybersecurity internships.
And I can tell you from personal experience that this lack of a clear career path begins early with college students.
My colleagues and I have at least two things in common: We received little (to no) exposure to the multiple cybersecurity career paths that our traditional computer science or engineering degrees opened to us, and therefore we all stumbled onto our careers in cloud security.
Consider the freshly minted computer science degree holder who comes across a job posting for a cybersecurity "solutions architect" or "presales engineer." Their first reaction might be, "That's a sales position; it doesn't match the skills I've spent the last four (or more) years of my life acquiring."
According to the ESG/ISA report, CISOs are doing little to debunk that misperception by only looking for candidates with narrow technical skill sets at the expense of other necessary qualifications.
"This may reveal that few CISOs have the blend of business, leadership, communications, and technical skills necessary for success," wrote the report's authors. "CISOs are business, not technical, leaders."
Consider the role of a solutions architect. It requires the right mix of social and interpersonal skills and technical strengths. I must be able to dive into the technical weeds with some people and also speak in non-technical terms to employees and their managers.
Forging a Path for the Cybersecurity Profession
I may be a recent college graduate, but my degree really represents the beginning of my education and training. I'm constantly working to learn about changes to how organizations are building enterprise IT architectures and the evolving threats they face to their systems and data stores. In many instances, there isn't a quick answer from product management or developers, so there's a lot of fast problem solving required to get to the solution.
So what's the path forward? For college students and midcareer professionals, explore opportunities fully rather than simply reading the title of a job description. Look at college job boards, internal job recruiting sites, and connect with alumni and cybersecurity professionals at events like Black Hat 2021.
For recruiters, look to broaden the pool of candidates. Your organizations need people with skills that range from technical to strategic to storytelling. And once you make a hire, continue investing in their education and training.
"There's a whole world of technologies that you aren't exposed to in college," adds Matt Garafalo, another solutions architect at Aqua. "Find a company that supports both a willingness to learn and an eagerness to keep up with a fast-paced environment such as cloud-native security."
"Aside from compensation, cybersecurity job satisfaction is a function of many factors such as support and encouragement for continuing cybersecurity education, business management's commitment to strong cybersecurity, and the ability to work with highly skilled and talented cybersecurity staff," the ESG/ISA report found. "Organizations with all these qualities will have a distinct advantage in recruiting and hiring as they add to their cybersecurity staff."