Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cybersecurity Faces 1.8 Million Worker Shortfall By 2022
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
6/14/2017 | 10:15:06 AM
Secondary problem
Even if you were to successfully address the labor shortage of qualified and experienced Cybersecurity professionals, due to the white-hot market for individuals with the right skills, you will immediately inherit employee retention issues.  The stability and 'stay-ability' of the desirable talent is very likely to be lured away for more money, the promise of sponsored certifications, trips to Blackhat/Defcon and advancement opportunity. 
User Rank: Ninja
6/10/2017 | 12:30:17 PM
Competitive Pay and Sponsored Certification
InfoSec resources definitely come from a wide variety of backgrounds.  I've worked with ex-cops, ex-lawyers, ex-history professors, and so on.  My background is - professionally, at least - in software as a build and release, and test engineer.  While I'm currently a security lead embedded in an app development team, even now security isn't my primary role.  In fact, I've had opportunities to get out of my software dev role and focus on security but the pay and benefits didn't outweigh those of my current gig. 

Now, I'm sure it's surprising to some I work with to learn I have pentesting skills, can build Tor servers and nodes, have a deep practical understanding of cryptocurrency and have researched everything from undetectable honeypots to a distributed computing-driven traceroute infrastructure for generating realtime network topology snapshots.  But none of this is interesting when you consider 50 hours of my work week is focused on everyday development lifecycles for standard app features.  My preference would be to put my technical skills toward something I love and find endlessly fascinating, but when you compare the InfoSec work week to its pay scale (and I mean practical engineers who program tools on the fly, track intrusion realtime and patch in response to exploits) you often find a huge gap.

One of the things that keeps me in my current role is the combination of industry competitive pay, benefits and the regular opportunity to get certified on the company's tab.  Working somewhere that gets the value you bring, understands the hours needed to do quality work and provides opportunities for work/life balance is hard to measure.  And for many of the smaller InfoSec groups that have reached out, this just didn't seem to be the case.  Frankly, I suspect a large number of hiring managers don't understand the day-to-day activities of an InfoSec tech. The 24/7 availability requirement is only one aspect of this reality.  There needs to be a resource balance to allow relaxation, but also flexibility to allow techs with families to work after hours when needed, the tools to pull out a mobile device and work when in line at Disneyland on the weekend, and the pay scale to make all of it attractive.

Until the pay is more competitive, the tools provided the best they can get to provide maximum computing power and mobility, and access to company-sponsored certifications becomes the norm, I don't think as many with the skills companies really want to hire are going to be lining up.  This may be just a small factor in the equation, but for me it was the primary one.  And I work alongside lots of far more talented hackers who also settled for the next-best role for the same reasons.  Maybe it's good, though.  That means embedded InfoSec junkies like me can help add a layer of security responsibility that might not have been there before since... well, since companies aren't hiring teams of us.

Charlie Babcock
Charlie Babcock,
User Rank: Ninja
6/8/2017 | 9:08:12 PM
Cybersecurity: A guarantee of lifetime employment?
Many more cybersecurity workers are needed and they will probably find lifetime employment somewhere. But I suspect we won't make any real headway when it comes to protection until automated systems learn enough to start doing some of the work for us.
User Rank: Strategist
6/8/2017 | 11:14:26 AM
Smoke Screen - Covering for massive lack of best practice use
While some folks are needed msot of this is to cover for massive use of best practices.  it takes a lot of people to patch avoidable holes in the dyke.

Privileged Account Security – The Giant Dirty Secret in most organizations cybersecurity.  Why isn't it being addressed?  Lack of Courage.

The overwhelming majority of companies and government organizations are avoiding the most critical cyber-security practice of all. Dealing with privileged account security. It's the biggest dirty secret in cybersecurity. Which is extremely unfortunate because virtually every hack on record was accomplished by someone gaining access to a privileged account then moving through the system. This usually occurs due to a successful phishing expedition. (Of which 22% are successful. Keep in mind only one is needed).

Of the small fraction of companies that even deal with this area only 1% of them actually use the products they purchase properly. Said differently – even if a CISO is buying the right things they are not using most of what you paid for. And in most cases they either have no plan to actually use critical features like Password Management, Session Management and Access Monitoring, or are moving so slow it will decades to finish. Often this is meant to purposefully deceive C-Suite and above. This puts everyone at risk.

Here is how bad things are. CMU CERT is the premier authority on cyber-security best practices. Especially for DoD. I found out that CMU CERT has no solution for themselves in this area. They actually defer to CMU IT for their own security and they have no solution in this area. Shouldn't the organization responsible for telling others what best practice is use best practices for its own security?

Why is this happening? These products inadvertently expose several huge best practice gaps. Examples include having 4X more accounts than people, non-encrypted password files or spreadsheets, emails with passwords and software programs with passwords hard coded in them and many not knowing where they all are. And having local admin permissions available on laptops and end points and not knowing where they all are either.

Why don't these folks address this? Because it means pushing the culture to change bad habits and admit to their executives and boards they even existed in the first place. Governing bodies and regulators mean well but they don't help much. This is because the relevant regulations, SOC, HiTrust etc are too trusting and don't specify enough detail. This gives organizations far too much room to wiggle. This all results in most companies and organizations not utilizing best practices or readily available of off the shelf products that can significantly reduce the threat.

This is not a technical issue. It's one of Courage. Courage to admit the root causes exist, To deal with the culture and lead them to fix them. To not sacrifice customers to protect egos or let the bean counters justify it's cheaper to harm customers than the bottom line.

My Background – 15 Years - Systems Engineer, Program Manager and Engineering Manager for Lockheed Martin – Aircraft Simulation, NORAD and the Aegis Weapon System. Commercial IT Project Manager for 11 years. Including cybersecurity.  Also post 9/11 DoD/DHS whistleblower and IEEE Barus Ethics Award recipient 
User Rank: Moderator
6/8/2017 | 10:06:18 AM
Re: Supply or demand? Cybersecurity
This issue has at least 2 sides; the vendors' and the customers'. There may be a shortage of cyber skills but on which side? Today, there is an unfair load placed on he customer when it should be borne mostly by the vendor. The vendor sells products and services in a basically open (insecure) environment, the internet and should shoulder most of the responsibility, along with WWW and other authorities for safety with some responsibility resting on the customer (user). When I fly, I am not expected to provide my own life jacket and oxygen. It is the airlines' job to make sure aircraft are fundamentally safe and that flying in them safe too. I will, of course, do my bit when instructed by the crew.

What is needed is a security ARCHITECTURE for crucial internet access, It will involve changes to the hardware and software components, at especially the attack points (DNS, SNMP, email etc, etc,), Windows and associated hardware would have to provide new, critical information about 'mal-users' and support a new authentication and authorisation sub-architecture.  Who should do this? It should be initiated at government level, using appropriate standards bodies and specialists to specify this architecture. In the old (70s/80s) days, IT vendors usually had to comply at level C2 of the US Orange books specs; there were higher, more secure levels too. The rules were simple: no comply, no business. Anyone using the net who isn't identifiable via this new architecture, or non-compliant,  should be visible, trackable and excluded or prosecuted.

An equivalent Orange book and 'C2'-type mandate is needed for the net. I have tried to get various cyber security gurus and major figures who recognise this and to support such an initiative, to no avail. It is a case which parallels Mark Twain's famous whinge: 'Everybody is talking about the weather, nobody is doing anything about it'.

The malware hits so far in 2017 exceed the total for 2016 and when it hits the roof by end 2017, I will probably name and shame the people who have voiced concern (usually for personal gain) and done nothing. It's going to be a fun year. The onus must be lifted from the users' shoulders and maybe the need for millions of cyber security people will reduce considerably when protection is mainly automated via this architecture and SW/HW changes.

There are government and other initiatives around now but with little or no cooperation and all chasing in different directions, a sure recipe for a dog's breakfast solution if they ever get one).
User Rank: Author
6/8/2017 | 9:36:23 AM
Dollars Behind This?
Agreed with the other poster above. It's an interesting snap shot, but it would be interesting to provide more context related to actual, dedicated resources and money at companies that is currently earmarked for security and going unspent due to a lack of employees.
User Rank: Apprentice
6/8/2017 | 4:02:25 AM
Supply or demand?
We've seen these headline figures for a few years now, but what's unclear is who is actually providing the numbers. It seems to me that in many cases it is 'IS professionals' saying we need more people to man the barricades because there is more to be done than we can currently cope with. But that sentiment can be found in everything from law enforcement, through nursing to teaching and beyond. Everyone has too much to do and not enough resources to deliver. 

The two questions that I've not seen answered are "how many unfilled vacancies are there" (ie companies want to recruit but can't) and "how many people want to enter the industry but are unable to" (ie they have the skills or want to gain them but there are no jobs to apply for).

The former tells us we need to develop more people (demand over supply), the latter probably suggests the supply is there but there is no demand.


I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.