Is the cyber crisis real or fiction?

It may be that enterprises are not stepping up to train new candidates for cyber roles or not recognizing that cyber is how business has to be done and not just the responsibility of the designated security officer.

movie camera film
Credit: Thinkstock

According to various sources including government, policy groups, and businesses, we are in a global cyber crisis. The crisis is that there are not enough qualified cyber professionals to fill existing positions. The future does not look much better, according to these sources, since the number of people preparing for a cyber career at universities does not appear to be growing as quickly as the global demand for practitioners. 

ISACA continued to decry the critical shortage of skilled cyber practitioners citing statistics from their State of Cybersecurity survey released at the 2017 RSA conference in San Francisco. The main thrust of this report is that it takes too long to fill cyber vacancies because too few candidates apply for these positions and among those who do, many are not fully qualified.

A few years ago, I attended a roundtable session with U.S. government agencies, certification granting bodies, universities offering cyber programs, and employers. I was shocked when employers presented their demands for new hires. They wanted entry-level people who were fully capable from both a theoretical and practical skills perspective. From my experience as a hiring manager, candidates for entry-level positions are expected to be smart and capable people who will learn to be effective practitioners. 

They bring a strong theoretical foundation and some experience but are not ready from day-one to do the job. Organizations have been prepared to invest in individuals.  Organizations have traditionally recognized that investing in people is smart business and the best way to teach the methods, tools, and the culture of the organization. I have also heard from people applying for top-level cyber positions that hiring decisions take a long time. 

It is not because candidates do not have the skills and experience. Companies seem to put off making hiring decisions waiting for that one exceptional candidate who will fit into a pay scale. The supposed cyber crisis is more complex than how long it takes to fill a position, how many candidates apply, and what level of skills they have.

While cyber security is considered a security discipline, the truth is that cyber is too complex to be only considered part of the security practitioners domain. The saying “it takes a village” is equally applicable to cyber as it is to caring for and raising children.  Within the cyber domain there is a need for many diverse skills including policy development and implementation, risk management, compliance, training and awareness, incident detection and response, investigations and forensics, enterprise architecture, network and system administration, application development and testing, operations, and user support. 

It is impossible for any individual to cover all of these areas of knowledge and performance. Each is a separate knowledge domain with ample opportunities for specialization that could provide someone with a rewarding career. Many positions are currently placed outside of the security department where practitioners have the ability to interact with similarly skilled personnel within a professional domain but also contribute to the protection of enterprise information.

The truth is that cybersecurity is not a security specific domain but an enterprise capability. To be secure, risk awareness, protection planning, defense, and resilience need to be part of the fabric of enterprise. We may need to think in terms of cyber-governance and cyber-management as responsibilities from the board extending throughout the organization. 

Cyber needs to be a skill within each job description. Cyber awareness needs to be integrated into every aspect of how an organization thinks strategically and operates tactically. The real cyber crisis is not that there are not enough cyber professionals in the market. The crisis is that organizations have not defined cyber as a core capability required across the employee population and they have not stepped up to making the required investment in people for the future.

Real comments can go to our Facebook page.

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Related:
Healthcare records for sale on Dark Web