What Can Be Done About the Cybersecurity Skills Shortage?

I’ve written countless times about the cybersecurity skills shortage but here’s a quick summary of a few ESG research data points that illustrate the scope of this problem: 1. 25% of mid-market (i.e. 100 to 999 employees) and enterprise (i.e. more than 1,000 employees) report a “problematic shortage” of IT security skills. 2. 36% of organizations increasing IT headcount this year plan to hire information security staff. Of all the IT headcount being added in 2013, hiring information security professionals is the highest of priority. 3. 83% of enterprise organizations say that it is “extremely difficult” or “somewhat difficult” to recruit and hire information security specialists. Those organizations having the hardest time include companies in rural areas, mid-market firms, and vertical industries like academia, and the public sector. I remain amazed and incredulous that the cybersecurity skills shortage gets so little attention but a few others are also screaming from the hilltops to get governments, the security industry, and educators to pay attention. For example, IBM recognizes that a dearth of cybersecurity skills presents a threat to its customers, its security business, and its services organization. Let’s face it; no one will build “smarter planet” applications if there aren’t a whole bunch of highly-skilled security professionals to keep them safe. IBM isn’t just assuming the role of Chicken Little and yelling about how the cybersecurity skills sky is falling. Rather, the folks in Armonk are actually trying to do something about it. For example, IBM just published a paper called, Cybersecurity Education for the Next Generation (http://public.dhe.ibm.com/common/ssi/ecm/en/ede12345usen/EDE12345USEN.PDF). The paper provides a high-level overview of the current state of cybersecurity skills and education and then suggests a few changes. For example, IBM suggests that cybersecurity programs must become: • More comprehensive. Yes, firewall rules and AV signatures are important, but the next-generation of cybersecurity leaders need to be able to understand cybersecurity as it relates to the business, legal system, and society. This means that cybersecurity education has to branch out from the Computer Science department alone. • More cooperative. Cybersecurity protection doesn’t work when the CISO and team are not part of business, IT, and application planning. That said, many groups view the security team in an adversarial way. The next-generation of cybersecurity leaders must be able to break down legacy walls and become business facilitators rather than business impediments. • Book smart and street smart. We need cybersecurity people who understand what works in theory and practice. A degree or certification alone isn’t enough. Think of this document as a starting point for future discussion. Given IBM’s size and resources, I hope it pushes this agenda further with leading academic institutions. The cybersecurity skills shortage will not solve itself so ignoring the problem is equivalent to “security by obscurity.” Since we all know how ineffective this strategy is, I hope that others follow IBM’s lead and take this issues more seriously. Like it or not, we all have skin in this game.