Two point eight million. That's how many cybersecurity professionals are laboring in most of the world's major economies to keep malware writers, fraudsters, nation-state actors, and assorted script-kiddies at bay. It's a security force that's not nearly big enough for the job, but according to a new survey, it's a force armed with knowledge, skill, and a general sense of satisfaction with their work.
(ISC)2's "2019 Cybersecurity Workforce Study" shows that the global cybersecurity workforce needs to grow by 145% if it's to meet the existing needs. That means a cybersecurity workforce of 6.82 million professionals globally. And the picture the study paints of the existing landscape provides some insight into how — and whether — that 4.07 million professional gap can be bridged.
"I don't want to paint a gloom-and-doom picture," says Wesley Simpson, (ISC)2's chief operating officer. "We need to think about how we close the gap differently. What we're doing today to get new cybersecurity professionals into the industry isn't working fast enough."
To close the gap, Simpson says the security industry needs to look outside its traditional thinking about what a security professional looks like. "Typically in the past, everyone wants a cybersecurity expert who wants five years and a CISSP. There are only about 130,000 people who fit that worldwide," he explains.
The answer, Simpson says, is for organizations to grow their own cybersecurity pros. Simpson has several suggestions for steps the organizations can take in order to create their own cybersecurity professionals. At one level, he suggests steps like creating apprenticeship programs within the organization so that those who aren't already skilled in cybersecurity can gain expertise in the field.
"Cast a big net. We need people from all different backgrounds and degrees," Simpson says, "Don't focus on STEM- or [computer science]-educated people."
One of the advantages of adding those with liberal arts educations to the cybersecurity team, says Simpson, is that they excel at telling the security story. Cybersecurity teams complain about not getting the resources they need, he says, but they can be quite bad at telling a convincing story about the work they do and the needs they face.
"The liberal arts people are better at telling the story, crafting the story, and talking to all the people they need to talk with to build the story," he says.
Challenge for the Ages
One of the study findings that goes against the stereotype of the young hacker is that relatively few cybersecurity professionals are in the early stages of their careers. While 34% of professionals are Millennials or younger, only 5% belong to Gen Z (born between 1996 and 2010). Simpson believes that cybersecurity's image is one reason young professionals aren't flocking to the field.
"Google cybersecurity and in the first three images you'll get the hacker in the dark hoodie. The image is very negative," he says.
In addition, there's a negative image to the life cybersecurity professionals lead.
"The stereotype of cybersecurity is very negative — long hours, burnout, not appreciated, and not listened to," Simpson explains. In addition, he says, the industry has created the perception that cybersecurity is a very difficult field to enter.
"The industry has grown up so fast that we've made it very confusing for the new candidate," Simpson says. "There's a lack of consistency and commonality around career paths, taxonomy, job description, tasks, and other things."
When that lack of consistency hits the HR department that's involved in hiring, the result is a sort of buzzword bingo that ends up filtering out many great candidates, Simpson says. Instead of working to filter candidates out, he says that companies should be working to show what a great career cybersecurity can be.
"We need to say that we value, train, and develop the individuals," he says.
It's notable that the issue is in attracting new cybersecurity professionals, not retaining those already in the field. Those responding to the survey had an average of nine years in an IT role, with six years at their current organizations, and five years in a cybersecurity role. Two-thirds (66%) of respondents report they are either somewhat satisfied (37%) or very satisfied (29%) in their jobs, and 65% intend to work in cybersecurity for their entire careers.
Among those responding to the survey, 30% were women, with women making up 23% of those with cybersecurity-specific titles. The key to getting more women, and more younger professionals, into the field is in answering a key question, Simpson says: "How do we create a cybersecurity culture that's wanted, is listened to, has a career path, and is appreciated?"
Answering those questions will help bring cybersecurity professionals in from other fields. Already, just 42% of respondents indicate they started their careers in cybersecurity, meaning 58% moved into the field from other disciplines.