Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

11/7/2019
11:55 AM
Curtis Franklin Jr.
Curtis Franklin Jr.
Edge Features
100%
0%

Find New Talent, Don't Fight Over CISSPs: Insights from (ISC)2 COO

The skills gap will only be closed by attracting and retaining new talent. So don't limit your talent search to CISSPs, says the COO of the organization that issues the CISSP certification.

(image by zinkevych, via Adobe Stock)
(image by zinkevych, via Adobe Stock)

Two point eight million. That's how many cybersecurity professionals are laboring in most of the world's major economies to keep malware writers, fraudsters, nation-state actors, and assorted script-kiddies at bay. It's a security force that's not nearly big enough for the job, but according to a new survey, it's a force armed with knowledge, skill, and a general sense of satisfaction with their work.

(ISC)2's "2019 Cybersecurity Workforce Study" shows that the global cybersecurity workforce needs to grow by 145% if it's to meet the existing needs. That means a cybersecurity workforce of 6.82 million professionals globally. And the picture the study paints of the existing landscape provides some insight into how — and whether — that 4.07 million professional gap can be bridged.

"I don't want to paint a gloom-and-doom picture," says Wesley Simpson, (ISC)2's chief operating officer. "We need to think about how we close the gap differently. What we're doing today to get new cybersecurity professionals into the industry isn't working fast enough."

To close the gap, Simpson says the security industry needs to look outside its traditional thinking about what a security professional looks like. "Typically in the past, everyone wants a cybersecurity expert who wants five years and a CISSP. There are only about 130,000 people who fit that worldwide," he explains. 

The answer, Simpson says, is for organizations to grow their own cybersecurity pros. Simpson has several suggestions for steps the organizations can take in order to create their own cybersecurity professionals. At one level, he suggests steps like creating apprenticeship programs within the organization so that those who aren't already skilled in cybersecurity can gain expertise in the field.

"Cast a big net. We need people from all different backgrounds and degrees," Simpson says, "Don't focus on STEM- or [computer science]-educated people."

One of the advantages of adding those with liberal arts educations to the cybersecurity team, says Simpson, is that they excel at telling the security story. Cybersecurity teams complain about not getting the resources they need, he says, but they can be quite bad at telling a convincing story about the work they do and the needs they face.

"The liberal arts people are better at telling the story, crafting the story, and talking to all the people they need to talk with to build the story," he says.

Challenge for the Ages
One of the study findings that goes against the stereotype of the young hacker is that relatively few cybersecurity professionals are in the early stages of their careers. While 34% of professionals are Millennials or younger, only 5% belong to Gen Z (born between 1996 and 2010). Simpson believes that cybersecurity's image is one reason young professionals aren't flocking to the field.

"Google cybersecurity and in the first three images you'll get the hacker in the dark hoodie. The image is very negative," he says.

In addition, there's a negative image to the life cybersecurity professionals lead.

"The stereotype of cybersecurity is very negative — long hours, burnout, not appreciated, and not listened to," Simpson explains. In addition, he says, the industry has created the perception that cybersecurity is a very difficult field to enter.

"The industry has grown up so fast that we've made it very confusing for the new candidate," Simpson says. "There's a lack of consistency and commonality around career paths, taxonomy, job description, tasks, and other things."

When that lack of consistency hits the HR department that's involved in hiring, the result is a sort of buzzword bingo that ends up filtering out many great candidates, Simpson says. Instead of working to filter candidates out, he says that companies should be working to show what a great career cybersecurity can be.

"We need to say that we value, train, and develop the individuals," he says.

Digging In
It's notable that the issue is in attracting new cybersecurity professionals, not retaining those already in the field. Those responding to the survey had an average of nine years in an IT role, with six years at their current organizations, and five years in a cybersecurity role. Two-thirds (66%) of respondents report they are either somewhat satisfied (37%) or very satisfied (29%) in their jobs, and 65% intend to work in cybersecurity for their entire careers.

Among those responding to the survey, 30% were women, with women making up 23% of those with cybersecurity-specific titles. The key to getting more women, and more younger professionals, into the field is in answering a key question, Simpson says: "How do we create a cybersecurity culture that's wanted, is listened to, has a career path, and is appreciated?"

Answering those questions will help bring cybersecurity professionals in from other fields. Already, just 42% of respondents indicate they started their careers in cybersecurity, meaning 58% moved into the field from other disciplines. 

Related Content:

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
11/8/2019 | 1:38:33 PM
Re: Gen Z
A growing number of 10 year old engineers are invading the marketplace and god help us from those up and coming 5 year olds who play games better than us old farts.  
NeverEnoughToys
50%
50%
NeverEnoughToys,
User Rank: Apprentice
11/8/2019 | 11:06:11 AM
Gen Z
So, only 5% of cybersecurity professionals are between the ages of 9 and 23?  Only?  I'd think that's quite high for that age group.
Dan_I
50%
50%
Dan_I,
User Rank: Apprentice
11/7/2019 | 3:55:59 PM
Advice for aspiring cyber security professional
While I would agree that the field is difficult to get into and I think that having a more structured way to enter the field would help.

There is nothing I can do personally to change this (at least not right now). What advice would you give a young professional, with a degree in computer science, that wants to break into the field now? I have a certification in cyber security and I want to pursue more in the future. Should I be looking at more general IT jobs? Development jobs?

The most common advice I see is "keep learning." While this is great advice and I try to stay up to date by reading blogs and bug bounty write-ups. This doesn't really give me anything to show for it or put on a resume.

Thanks in advance to everyone.
The Edge Cartoon Contest: You Better Watch Out ...
Flash Poll