Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:00 PM
Connect Directly

Ending Cybersecurity Labor Shortage Will Take Time

Researchers at RAND say the industry has taken the right steps, but there is still a long way to go.

Overwrought CISOs, take heart: You may be short-staffed now, but the best seeds for solving the shortage may have already been planted, and now we just need to wait for them to bear fruit.

This is one of the findings of "Hackers Wanted: An Examination of the Cybersecurity Labor Market," a new study by the RAND Corporation. The study also shows that, while the world waits for the next generation of security professionals to mature, industry is using creative ways to identify people with an aptitude for information security within the workforce. The authors further suggest that, instead of just increasing the supply of infosec professionals, we should try reducing demand for them.

Martin C. Libicki, senior management scientist at RAND and one of the authors of the report, is not surprised that the skills gap is taking time to close. "It takes a while for someone to get proficient," he says. "You might dangle a carrot in front of someone in 2010, but they won't be able to chew it until 2015."

However, Libicki was surprised by the ability of large organizations to cope with the short-term limits by using "systematic ways of going through their workforce" to find talent.

Being that all organizations must conduct security awareness training sessions anyway, some are wrapping some personality and aptitude testing into the awareness training. They look for people who have dismantled their home computer for fun -- those who like solving puzzles, finding out how things work, and learning how things could be made to fail. These diamonds in the rough (who might have degrees in English, not computer science) may be encouraged to take infosec training and consider a career change.

The trouble with training employees, of course, is that people will happily take that training and then take their newly minted skills elsewhere.

Libicki says that this is a common problem -- not unique to cybersecurity -- for most organizations, outside of the military. (As he says, knowing how to operate an aircraft carrier isn't likely to be transferable in the private sector.) However, training and retaining security professionals is a significant problem within other sectors of the government. One of the limiting factors is the government's strict pay grades.

"The average infosec person earns about $100K. The government can play in that space," Libicki says. However, the most skillful, top-tier pros are few and therefore come at a premium -- between $200,000 to $250,000. The US government might be able to afford up to $150,000 and might be able to toss on some non-monetary benefits past that, but when the price goes above $200,000, the government cannot compete with private industry. This inability to retain the very best talent can put national security at risk.

The study does muse on the idea of boosting national cybersecurity at times when the threat is highest by drawing on reserve forces, like the National Guard and the Army Reserves, that become available when there is a crisis, but the authors think that this is a flawed idea. From the report:

    Unfortunately for most cybersecurity tasks (forensics conspicuously aside), effective cybersecurity defense requires familiarity with the systems being attacked -- something that part-time exposure does not provide very well.

Libicki adds that, if a security pro at a bank is called into service for the government, the bank is suddenly left unprotected.

So there is still a need for a higher quantity of warm bodies in infosec jobs. The RAND study states that there will be higher numbers a few years from now, because schools and universities have responded to the demand.

Nevertheless, the demand might increase.

Libicki says that, instead of just increasing the supply of security professionals, the industry should work on reducing demand. "$70 billion is spent on cybersecurity globally. If we could shift some of our money to making sure our software had fewer holes in it," instead of plugging those holes later, enterprises and national security could be better managed by fewer people.

Yet the secure development lifecycle is not the only thing in the bag of tricks, he says. Secure architecture is just as important as software. He points to how the closed environment of Apple products keeps them safer than the openness of Android products and how sandboxing makes Google Chrome more secure than Firefox.

"I would make a wild guess that one out of every 10 people who could be a great cybersecurity professional are already doing cybersecurity," Libicki says. "Maybe we need to get 15% of them instead of 10%, but I don't want to get to the point that all 10 of them are doing cybersecurity. We need those smart people doing other things, too."

Other recommendations made by RAND include:

    More active waiving of civil service rules that impede hiring talented cybersecurity professionals, maintaining government hiring of cybersecurity professionals even through adverse events such as sequestrations, funding software licenses and related equipment for educational programs, refining tests to identify candidates likely to succeed in cybersecurity careers, and, in the longer run, developing methods to attract women into the cybersecurity profession.
    But, in general, we support the use of market forces (and preexisting government programs) to address the strong demand for cybersecurity professionals in the longer run.

The full report can be found at rand.org.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/20/2014 | 6:55:54 AM
Re: A Sensible Report - Missing Something?
There will always be a growing demand for skilled profiles ... hackers and companies, is a marriage that is becoming a significant need
Randy Naramore
Randy Naramore,
User Rank: Ninja
6/19/2014 | 9:45:20 AM
Re: A Sensible Report - Missing Something?
Agreed, some of the "hackers" are very skilled and in the right circumstances can make a talented member of any security team as long as they have turned from their criminal ways. The knowledge they can share can be very useful to avoiding future attacks. 
User Rank: Ninja
6/18/2014 | 4:02:21 PM
A Sensible Report - Missing Something?
I hadn't read this report and immediately downloaded it after this posting.  I wish I could respond to every point, because they are good ones and paint a great picture of where cybersecurity is right now.  My interest in cyber security began in 1996, but I've never worked under a security title.  Rand rightly notes that folks like us are valuable both under and outside the CIS umbrella.

That said, I still think there is an untapped resource pool out there, and it's one that understandably is tough to figure out.  Some companies and the government do this, which is recruit cyber criminals to work for them, sometimes with the benefit of amnesty (if working for the government) or other perks like promise of career advancement that keep the recruits "honest". 

There are many talented and well-meaning hackers out there with criminal records.  Times change, people change.  And in many cases, it is this pool you want to pull from, and not the book-learned pool.  The pool of cyber criminals and hacktivists (keep in mind, having a record doesn't always equate to criminal intent; hacktivists are often arrested and they are good people trying to make a difference) hosts intelligent and well-seasoned hackers who have learned and executed skills one may never learn in college or trade schools.

Excellent overview of a solid report, otherwise - can't wait to see the follow-ups. 

Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. There is Reflected XSS in Webmail (aka WorldClient). It can be exploited via a GET request. It allows performing any action with the privileges of the attacked user.
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. Remote Administration allows an attacker to perform a fixation of the anti-CSRF token. In order to exploit this issue, the user has to click on a malicious URL provided by the attacker and successfully authenticate into the application. Having the va...
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. There is an IFRAME injection vulnerability in Webmail (aka WorldClient). It can be exploited via an email message. It allows an attacker to perform any action with the privileges of the attacked user.
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. Administrators can use Remote Administration to exploit an Arbitrary File Write vulnerability. An attacker is able to create new files in any location of the filesystem, or he may be able to modify existing files. This vulnerability may directly lead...
PUBLISHED: 2021-04-14
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Multiple privilege escalation vulnerabilities were discovered in version 5.2.4 of Pi-hole core. See the referenced GitHub security advisory for details.