PwC\u2019s 2018 CEO survey has highlighted a continued hardening of global attitudes to security, with the top four threats to business growth prospects now including terrorism, geopolitical uncertainty, over-regulation and cyber threats. This shift is reflected by the language now used publicly \u2013 by government and business leaders alike \u2013 as highlighted by the US Department of Homeland Security\u2019s recent announcement of its investigation into an attack on a critical infrastructure facility. There is growing rhetoric that the risk of sponsored cyber-attacks on (inter)national infrastructure could cause economic chaos.But after endemic under-investment in skills development for over a decade, Jim Kennedy, VP & GM Americas, Certes Technology, explains it is time for a significant change in approach to safeguard business.Supply versus demandOrganizations now recognize that investment in security is a necessity. Yet with a current estimated 350,000 open cyber security positions in the US, and a predicted global shortfall of 3.5 million cyber security jobs by 2021 \u2014 according to Cybersecurity Ventures \u2014 the industry clearly has a massive problem regarding supply and demand. And while it is fair to say that the escalation in cyber threats has created an unprecedented need for individuals with skills, talent and experience, it is a combination of chronic under-investment in training and education; market misalignment and a lack of self-marketing that is at the heart of the skills shortage problem.So where did we go wrong? The ramifications of the massive spike in outsourcing a decade ago are now being felt. \u00a0When swathes of technical experts migrated across from public sector to private sector organizations, a history of training, education and skills development was lost. These individuals are now leaving the industry and their skills have never been replaced. \u00a0The result is escalating demand and a pool of resources that continues to shrink by the day.Rethinking educationThere are so many flaws in the current model. The industry is frankly appalling at selling itself; at inspiring the next generation by demonstrating that IT can be an exciting and financially rewarding career. In addition, training has over the past decade become almost exclusively product focused \u2013 with vendor \u2018academies\u2019 teaching individuals about specific product sets, rather than security framework requirements, a move that has further weakened the depth of expertise offered by any one individual.This approach is simply not sustainable \u2013 for IT providers or organizations desperate to access essential cyber security skills. Right now, the small pool of talent is able to demand ever higher rates, making essential cyber security unaffordable for all but the largest and most successful businesses.The only way organizations will be able to address the huge demand for cyber security skills will be to take control and invest. \u00a0And that means shifting away from outsourcing and a reliance upon expensive contractors towards re-insourcing key services, including security: the onus is now on companies to build up their own expertise in-house.At the same time, the IT industry needs to step up and invest in training \u2013 true, agnostic training, not product specific, ersatz sales education. If the next generation of cyber security individuals are going to be able to make the right decisions, they need an excellent grounding in security \u2013 from compliance to standards, including GDPR, PCI and ISO 20001. It is only with that in-depth understanding of end to end security issues that individuals will be able to create a robust security infrastructure supported by the right product choices.Signs of improvementFortunately, we\u2019re starting to see recognition at a national level that current approaches are unsustainable. Quietly, the regulatory community has been gearing up public-private partnership efforts to be proactive on cyber threats and has now successfully engaged academia. The Cybersecurity Workforce Alliance (CWA) is a tripartite workforce-engagement model that includes the public sector, private sector and academia which has been working since 2015 to accelerate cybersecurity readiness in entry-level candidates.It\u2019s \u2018industry-first\u2019 approach is designed to align industry\u2019s specific needs and graduates\u2019 expectations with the job roles and responsibilities needed to model a curriculum \u2014 at the beginning of a student\u2019s tenure.Likewise, in the UK, a new National College of Cyber Security sited at the home of the WWII code-code breakers, Bletchley Park, will open in 2019, fostering the development of home grown talent. In parallel, the UK\u2019s National Cyber Security Centre has published new advice for industry based on 14 key principles aligned with existing cyber-security standards to help organizations understand what they need to do to implement essential cyber security measures.While positive early steps, these approaches do unfortunately only mark the beginning of our journey to close the cyber security skills gap. This vital issue will require sustained focus and deep collaboration between the public sector, private sector organizations including the IT industry itself, and academia.From vendor agnostic, standards and skills-based training to a commitment to inspiring the next generation to join the industry in the first place, everyone demanding a solution to cyber security skills shortage today needs to step up and become part of the solution \u2013 not the problem.