Cybersecurity skills shortage

PwC’s 2018 CEO survey has highlighted a continued hardening of global attitudes to security, with the top four threats to business growth prospects now including terrorism, geopolitical uncertainty, over-regulation and cyber threats. This shift is reflected by the language now used publicly – by government and business leaders alike – as highlighted by the US Department of Homeland Security’s recent announcement of its investigation into an attack on a critical infrastructure facility. There is growing rhetoric that the risk of sponsored cyber-attacks on (inter)national infrastructure could cause economic chaos.

But after endemic under-investment in skills development for over a decade, Jim Kennedy, VP & GM Americas, Certes Technology, explains it is time for a significant change in approach to safeguard business.

Supply versus demand

Organizations now recognize that investment in security is a necessity. Yet with a current estimated 350,000 open cyber security positions in the US, and a predicted global shortfall of 3.5 million cyber security jobs by 2021 — according to Cybersecurity Ventures — the industry clearly has a massive problem regarding supply and demand. And while it is fair to say that the escalation in cyber threats has created an unprecedented need for individuals with skills, talent and experience, it is a combination of chronic under-investment in training and education; market misalignment and a lack of self-marketing that is at the heart of the skills shortage problem.

So where did we go wrong? The ramifications of the massive spike in outsourcing a decade ago are now being felt.  When swathes of technical experts migrated across from public sector to private sector organizations, a history of training, education and skills development was lost. These individuals are now leaving the industry and their skills have never been replaced.  The result is escalating demand and a pool of resources that continues to shrink by the day.

Rethinking education

There are so many flaws in the current model. The industry is frankly appalling at selling itself; at inspiring the next generation by demonstrating that IT can be an exciting and financially rewarding career. In addition, training has over the past decade become almost exclusively product focused – with vendor ‘academies’ teaching individuals about specific product sets, rather than security framework requirements, a move that has further weakened the depth of expertise offered by any one individual.

This approach is simply not sustainable – for IT providers or organizations desperate to access essential cyber security skills. Right now, the small pool of talent is able to demand ever higher rates, making essential cyber security unaffordable for all but the largest and most successful businesses.

The only way organizations will be able to address the huge demand for cyber security skills will be to take control and invest.  And that means shifting away from outsourcing and a reliance upon expensive contractors towards re-insourcing key services, including security: the onus is now on companies to build up their own expertise in-house.

At the same time, the IT industry needs to step up and invest in training – true, agnostic training, not product specific, ersatz sales education. If the next generation of cyber security individuals are going to be able to make the right decisions, they need an excellent grounding in security – from compliance to standards, including GDPR, PCI and ISO 20001. It is only with that in-depth understanding of end to end security issues that individuals will be able to create a robust security infrastructure supported by the right product choices.

Signs of improvement

Fortunately, we’re starting to see recognition at a national level that current approaches are unsustainable. Quietly, the regulatory community has been gearing up public-private partnership efforts to be proactive on cyber threats and has now successfully engaged academia. The Cybersecurity Workforce Alliance (CWA) is a tripartite workforce-engagement model that includes the public sector, private sector and academia which has been working since 2015 to accelerate cybersecurity readiness in entry-level candidates.

It’s ‘industry-first’ approach is designed to align industry’s specific needs and graduates’ expectations with the job roles and responsibilities needed to model a curriculum — at the beginning of a student’s tenure.

Likewise, in the UK, a new National College of Cyber Security sited at the home of the WWII code-code breakers, Bletchley Park, will open in 2019, fostering the development of home grown talent. In parallel, the UK’s National Cyber Security Centre has published new advice for industry based on 14 key principles aligned with existing cyber-security standards to help organizations understand what they need to do to implement essential cyber security measures.

While positive early steps, these approaches do unfortunately only mark the beginning of our journey to close the cyber security skills gap. This vital issue will require sustained focus and deep collaboration between the public sector, private sector organizations including the IT industry itself, and academia.

From vendor agnostic, standards and skills-based training to a commitment to inspiring the next generation to join the industry in the first place, everyone demanding a solution to cyber security skills shortage today needs to step up and become part of the solution – not the problem.