Cybersecurity Ventures predicts there will be 3.5 million unfilled jobs by 2021, up from 1 million at the end of 2013. With a growing awareness of the cybersecurity workforce shortage, why is the problem getting worse each year? Here are the top five reasons:
Reason 1: The community doesn't take the cybersecurity workforce shortage seriously enough. In late 2013, Cisco projected there were 1 million job openings globally. For several years after that, cybersecurity labor figures were only minimally updated. Various surveys (as opposed to research) have drastically underestimated the problem because they relied on polls that didn't sample enough companies, or they focused on information/IT security and failed to take the broader cybersecurity market into consideration. This leaves out heaps of workers involved with Internet of Things security, ICS (industrial control systems) security, automotive security, embedded security, and numerous other large categories.
Some surveys, such as ISC2's Global Information Security Workforce Study (registration required), portray a workforce with the number of unfilled cybersecurity jobs not even doubling in nearly a decade, from 2013 to 2022. This is a stark departure from my own research, which shows the number of unfilled positions actually is expected to grow 3.5 times during an even shorter timeframe, from 1 million in 2013 to 3.5 million in 2021.
Reason 2: Universities are not graduating enough students with cybersecurity experience. A story in Forbes last year indicated students can graduate from any one of the top 10 US computer science programs without taking a single course on cybersecurity. CloudPassage, a cloud security firm based in San Francisco, concluded that the American higher-education system is failing at preparing students for careers in cybersecurity. While that may be an overstatement, there are clearly too few college cybergrads released into the workplace each year. At the upper end of the spectrum, only around 150 schools in the US offer an advanced degree such as MS in cybersecurity programs, and many of them are relatively new.
Reason 3: Young people are not getting involved and exposed to cybersecurity early enough. Middle schools and high schools are not teaching students cybersecurity. A study by Raytheon suggests that less than half of students surveyed say a parent or teacher has discussed cybersecurity with them. Hardly enough high school seniors are graduating with intentions to pursue careers as cyber fighters. By the time they enter college, it's too late.
Reason 4: Organizations aren't cross-training their IT workers. CIOs and CISOs are not cross-training enough of their support specialists, network administrators, programmers, Web developers, systems analysts, database administrators, network architects, IT project managers, and others on cybersecurity. There's also no indication of a trend by senior IT leaders to cross over technology workers to fill open cybersecurity positions.
Reason 5: IT leaders have bought into the idea that artificial intelligence and cognitive security will solve the labor crisis. There's exhaustive hype around the promise of AI and how it can reduce the cybersecurity staffing burden at organizations globally. AI is a phenomenal technology that can improve and even transform businesses of all types and sizes. But the productivity and efficiency gains don't translate into fewer workers.