Taking aim at the cybersecurity skills shortage: 5 approaches to closing the gap

Most CISOs have understaffed security teams. And when they try to beef up their staff, it often takes months to get a qualified candidate in place.

At the same time, CISOs are dealing with a dramatic escalation of threats, prompted in part by the pandemic but a trend that was well underway even before COVID hit.

This confluence of challenges is once again highlighting the significant lack of cybersecurity talent.

“Protecting our environments has never been more critical, yet we struggle to get enough of the right people with the right skills,” said Gail Coury, vice president and general manager of Silverline at F5 Networks and board chair of One In Tech, a philanthropic entity of ISACA, a professional association of IT governance professionals.

She’s not exaggerating.

Gail Coury, VP & general manager, Silverline at F5 Networks

ISACA’s State of Cybersecurity 2020 found that 62% of respondents say their organization’s cybersecurity team is understaffed and 57% have unfilled cybersecurity positions. Additionally, 70% say fewer than half of applicants are well-qualified and 32% say it takes them six months or more to find a qualified candidate for open cybersecurity positions.

The Life and Times of Cybersecurity Professionals 2020, a report from Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA), found similar issues. Based on responses from 327 cybersecurity professionals and ISSA members, 70% of organizations have been affected by the worldwide cybersecurity skills shortage. Despite years of attention to the situation, 48% said the skills gap hadn’t improved from the prior year, while 45% said the skills shortage had actually gotten worse.

Meanwhile, (ISC)², a nonprofit membership association of certified cybersecurity professionals, offered a stark outlook in its 2019 (ISC)² Cybersecurity Workforce Study. The report pegged the cybersecurity workforce at 2.8 million professionals with another 4.07 million professionals needed. That means the world needs a 145% increase in its cybersecurity workforce. For those in the United States, the news is only slightly less daunting: In the U.S. market, (ISC)² estimated the cybersecurity workforce at 804,700 with a shortfall of 498,480 skilled professionals, which means an increase of just 62% is needed to meet demand.

Longstanding challenges

None of this is new. However, security leaders say the pandemic-related work-from-home mandates that necessitated re-engineered IT environments coupled with the recent spike in attacks have further taxed stressed security teams. That in turn has brought renewed focus on the need to close the skills gap.

CISOs, vendor executives and other security leaders offer various opinions on what causes this continuing skills shortage.

They frequently talk about a pipeline issue, saying that the profession doesn’t do enough to promote the good pay and strong demand for talent that could entice young people to the field.

They cite, too, the underrepresentation of women and minorities, who — because they don’t see many in the field who look like them — view the profession as uninviting or uninspiring, ensuring in turn that they stay underrepresented.

Coury speaks of that dynamic with firsthand knowledge. A gifted math student in high school, she didn’t think about computers as a career option until one teacher encouraged her to consider the profession. “Had that person never said that to me I never would have been in this career,” she says.

Candy Alexander, international president of the nonprofit Information Systems Security Association (ISSA), offers a different perspective, though.

Candy Alexander, international president, ISSA

She sees the challenges of drawing enough people to the field rooted in a persistent misunderstanding of cybersecurity work among both businesspeople and emerging professionals.

“We’ve seen it as a pipeline issue, and for x number of years we’ve tried to fill the pipeline. But that’s not the sole issue, yet we’ve tried to address this problem just by addressing the pipeline and if that’s all it was,” she says.

Others point to the ever-growing list of skills required to work in the field, particularly in specific industries, which further narrows the funnel of workers available to fill positions. The bar for landing a job — even an entry-level one — gets increasingly higher.

Taking aim at the gap 

Multinational advisory service KPMG takes a multiprong approach to recruiting and retaining a robust security workforce, says Leah Gregorio. A managing director in KPMG’s Advisory Services practice. This includes an annual weeklong Cyber Academy training program for KPMG’s own security professionals, internal initiatives to cross-train colleagues from IT and business areas in cybersecurity skills, and an aggressive recruitment program to bring new college graduates (even those without tech degrees) into the profession. KPMG also has a Women in Cyber group that aims to help increase participation of women in the cyber security and technology space. 

Attacking the problem from all angles may pay off. A slew of recruitment and training programs have emerged to address the cybersecurity skills gap, with many taking aim at specific areas that have been identified as factors contributing to the lack of talent and required skills. These programs span a spectrum of opportunities:

Colleges and universities Academic initiatives are seeking to draw more students into the field through an increasing number of certificate, degree and specialized programs. For example, George State University announced in July 2020 that its Evidence-Based Cybersecurity Research Group (EBCS) received nearly $300,000 from the National Science Foundation for a pilot teaching students advanced cybersecurity research skills and matching them with CISOs to test tools to determine whether they improve enterprise security. The Evidence-based Cybersecurity-Training and Mentorship Program for Students will work with 60 students from the U.S. Southeast in groups of 30 over two summers.

“Organizations see an ever-increasing talent and skills gap as they try to fill the roles among their defense lines, whether in Security Operations Centers, Information Security Engineering, Blue Teams, Red Teams or Purple Teams. Individuals, on the other hand, find it challenging to enter a field that has become so enormously complex and so rapidly changing that it represents a very steep learning curve,” Flavio Villanustre, vice president of technology and CISO for LexisNexis Risk Solutions in Atlanta and an adviser to the new program, said in a statement announcing the new initiative.

Private companies Companies are also introducing their own individual initiatives to help bolster both the volume and the available skills within the cybersecurity profession. Case in point is Accenture’s national apprenticeship program. Accenture teams work with community colleges, nonprofit entities and tech academies to recruit and then train apprentices in cybersecurity and other high-demand areas such as digital, data analytics, cloud migration, finance, marketing and human resources. The firm has brought on 125 apprentices between 2016 and 2020, with 85% of them moving into full-time roles in their areas of training.

Professional associations Professional security-related associations have launched their own initiatives to help both individuals gain in-demand security skills as well as aid enterprise security leaders craft training for their teams. The International Consortium of Minority Cybersecurity Professionals, for example, lists as part of its mission to “foster recruitment, inclusion and retention” of women and minorities through its programs. One in Tech, the ISACA program, has three initiatives to develop a racially and culturally diverse workforce, to move women into the field and into leadership roles, and to teach under-resourced and under-represented children the digital skills they need now and encourage their pursuit of cybersecurity work in the future. (ISC)² offers The Enterprise Guide to Establishing a Cybersecurity Training Program, designed to help companies create plans tailored to their own specific needs.

Public sector Government officials have also been active in trying to close the skills gap, with entities such as the National Initiative for Cybersecurity Careers and Studies (NICCS), an online resource for cybersecurity training that connects government employees, students, educators and industry with cybersecurity training providers. More efforts could be forthcoming, as the September 2020 white paper from the Cyberspace Solarium Commission highlighted the need for action. The CSC, established by the 2019 National Defense Authorization Act, cited the continuing need for, and struggle to get, a skilled cyber workforce, with the commission’s co-chairs writing that “without talented cyber professionals working the keyboard, all the cutting-edge technology in the world cannot protect the United States in cyber-space. If we do not take action now to ensure that our talented and experienced workforce continues to grow, we are leaving our country vulnerable to future cyber attacks.” The paper, Growing a Stronger Federal Cyber Workforce, details the need to recruit, develop, retain and grow the country’s security profession.

Training organizations Similarly, many private organizations are trying to tackle the cybersecurity skills gap, with the entities offering programs ranging from the nonprofit SANS Institute with its online training options to Cybrary, an online cybersecurity career development platform. Cybrary says its fall 2020 survey demonstrates the need for expanding training options, noting that 72% of 800 security and IT professionals said skills gaps do indeed exist on their current teams and 65% agreed that those gaps negatively impact their team’s effectiveness. Other organizations, such as Skillsoft and Skillstorm, also offer individual and team training.

When it comes to attracting, training, and retaining security talent, one thing is clear: This is a issue with some urgency. The ramifications of the cybersecurity talent shortage are significant, says Jon Oltsik, a senior principal analyst and fellow with ESG. CISOs indicate that the shortage of qualified security professionals means that positions stay open for long stretches and even when they’re filled, new hires are frequently unprepared to fully handle the role. That in turn means they’re less effective in the position and often less capable of using the security tools at their disposal to their full potential. “All combined, that means organizations are less secure,” Oltsik says.