Cybersecurity Skills Shortage Panic in 2015?

As part of its annual IT spending intentions research, ESG asks IT professionals around the world to identify areas where they have a problematic shortage of IT skills.  Over the past three years, information security skills topped this list.  In 2014, 25% of all organizations said they had a problematic shortage of infosec skills (note: I am an ESG employee).

So where are information security skills shortages most acute?  When we asked security professionals this question a few years ago, the results show shortages across the board:

• 43% of organizations have a problematic shortage of cloud computing and server virtualization security skills
• 31% of organizations have a problematic shortage of endpoint security skills
• 31% of organizations have a problematic shortage of network security skills
• 30% of organizations have a problematic shortage of data security skills
• 30% of organizations have a problematic shortage of security analytics/forensic skills

Now I’ve been one of the louder voices screaming about the cybersecurity skills shortage for a while but thankfully I’m not alone.  In November, a special Parliamentary Select Committee in the United Kingdom’s House of Lords reported a global shortage of ” no less than two million cybersecurity professionals” by the year 2017.  In 2013, a Government Accountability Office (GAO) report stated that the DHS’s National Protection and Programs Directorate’s Office of Cybersecurity and Communications had a vacancy rate of 22%.  Similar data is coming from other geographic areas as well.

Cowboy philosopher, Will Rogers, was once asked about investing in real estate.  He’s quoted as saying, “buy real estate because they ain’t makin’ no more of it.”  In other words, supply is fixed so there will money to be made in periods of high demand. 

Old Will Rogers’ homespun advice will take hold in 2015 with regard to cybersecurity skills.  With no end in sight for targeted attacks and a parade of data breaches at Home Depot, Staples, and Sony Pictures, I’m convinced that there is going to be a Black Friday-like buying frenzy for cybersecurity talent throughout 2015. 

What does this mean?  Nervous financial services vendors and government integrators will bid up cybersecurity salaries to new highs.  In the meantime, security services leaders like CSC, Dell, HP, IBM, Symantec, and Unisys will aggressively cherry pick cybersecurity specialists by offering lucrative compensation packages along with intensive training for skills development.  Cybersecurity employees with years of faithful employment at small regional banks, Universities, and State governments will get offers they simply can’t refuse.  This will cause a panic at many organizations when they lose security professionals who more-or-less “owned” their informal incident detection and response processes. 

We’ve known about the cybersecurity skills shortage for years and haven’t done nearly enough to address this problem.  Lip service, token programs, and spreading limited funding around make good press releases but are little more than another finger in the dyke. 

When it comes to cybersecurity, it’s sexy to talk about sophisticated adversaries, innovation and VC-backed startups – intrigue, money and technology drive the infosec market.  I get this but we still need people in place who know what they are doing and to paraphrase Will Rogers, “we ain’t makin’ ’em” – at least not fast enough to keep up with demand. 

We won’t have an appropriately-sized army of cybersecurity professionals in 2015 and some organizations will be left high-and-dry.  As this happens, the cybersecurity skills shortage will become more visible and more problematic than the industry, national governments, and large organizations seems to anticipate.