Most CISOs have understaffed security teams. And when they try to beef up their staff, it often takes months to get a qualified candidate in place.At the same time, CISOs are dealing with a dramatic escalation of threats, prompted in part by the pandemic but a trend that was well underway even before COVID hit.This confluence of challenges is once again highlighting the significant lack of cybersecurity talent.\u201cProtecting our environments has never been more critical, yet we struggle to get enough of the right people with the right skills,\u201d said Gail Coury, vice president and general manager of Silverline at F5 Networks and board chair of One In Tech, a philanthropic entity of ISACA, a professional association of IT governance professionals.She\u2019s not exaggerating. Gail Coury, VP & general manager, Silverline at F5 NetworksISACA\u2019s State of Cybersecurity 2020 found that 62% of respondents say their organization\u2019s cybersecurity team is understaffed and 57% have unfilled cybersecurity positions. Additionally, 70% say fewer than half of applicants are well-qualified and 32% say it takes them six months or more to find a qualified candidate for open cybersecurity positions.The Life and Times of Cybersecurity Professionals 2020, a report from Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA), found similar issues. Based on responses from 327 cybersecurity professionals and ISSA members, 70% of organizations have been affected by the worldwide cybersecurity skills shortage. Despite years of attention to the situation, 48% said the skills gap hadn\u2019t improved from the prior year, while 45% said the skills shortage had actually gotten worse.Meanwhile, (ISC)\u00b2, a nonprofit membership association of certified cybersecurity professionals, offered a stark outlook in its 2019 (ISC)\u00b2 Cybersecurity Workforce Study. The report pegged the cybersecurity workforce at 2.8 million professionals with another 4.07 million professionals needed. That means the world needs a 145% increase in its cybersecurity workforce. For those in the United States, the news is only slightly less daunting: In the U.S. market, (ISC)\u00b2 estimated the cybersecurity workforce at 804,700 with a shortfall of 498,480 skilled professionals, which means an increase of just 62% is needed to meet demand.Longstanding challengesNone of this is new. However, security leaders say the pandemic-related work-from-home mandates that necessitated re-engineered IT environments coupled with the recent spike in attacks have further taxed stressed security teams. That in turn has brought renewed focus on the need to close the skills gap.CISOs, vendor executives and other security leaders offer various opinions on what causes this continuing skills shortage.They frequently talk about a pipeline issue, saying that the profession doesn\u2019t do enough to promote the good pay and strong demand for talent that could entice young people to the field.They cite, too, the underrepresentation of women and minorities, who \u2014 because they don\u2019t see many in the field who look like them \u2014 view the profession as uninviting or uninspiring, ensuring in turn that they stay underrepresented.Coury speaks of that dynamic with firsthand knowledge. A gifted math student in high school, she didn\u2019t think about computers as a career option until one teacher encouraged her to consider the profession. \u201cHad that person never said that to me I never would have been in this career,\u201d she says.Candy Alexander, international president of the nonprofit Information Systems Security Association (ISSA), offers a different perspective, though. Candy Alexander, international president, ISSAShe sees the challenges of drawing enough people to the field rooted in a persistent misunderstanding of cybersecurity work among both businesspeople and emerging professionals.\u201cWe\u2019ve seen it as a pipeline issue, and for x number of years we\u2019ve tried to fill the pipeline. But that\u2019s not the sole issue, yet we\u2019ve tried to address this problem just by addressing the pipeline and if that\u2019s all it was,\u201d she says.Others point to the ever-growing list of skills required to work in the field, particularly in specific industries, which further narrows the funnel of workers available to fill positions. The bar for landing a job \u2014 even an entry-level one \u2014 gets increasingly higher.Taking aim at the gap\u00a0Multinational advisory service KPMG takes a multiprong approach to recruiting and retaining a robust security workforce, says Leah Gregorio. A managing director in KPMG\u2019s Advisory Services practice. This includes an annual weeklong Cyber Academy training program for KPMG's own security professionals, internal initiatives to cross-train colleagues from IT and business areas in cybersecurity skills, and an aggressive recruitment program to bring new college graduates (even those without tech degrees) into the profession. KPMG also has a Women in Cyber group that aims to help increase participation of women in the cyber security and technology space.\u00a0Attacking the problem from all angles may pay off. A slew of recruitment and training programs have emerged to address the cybersecurity skills gap, with many taking aim at specific areas that have been identified as factors contributing to the lack of talent and required skills. These programs span a spectrum of opportunities:Colleges and universitiesAcademic initiatives are seeking to draw more students into the field through an increasing number of certificate, degree and specialized programs. For example, George State University announced in July 2020 that its Evidence-Based Cybersecurity Research Group (EBCS) received nearly $300,000 from the National Science Foundation for a pilot teaching students advanced cybersecurity research skills and matching them with CISOs to test tools to determine whether they improve enterprise security. The Evidence-based Cybersecurity-Training and Mentorship Program for Students will work with 60 students from the U.S. Southeast in groups of 30 over two summers.\u201cOrganizations see an ever-increasing talent and skills gap as they try to fill the roles among their defense lines, whether in Security Operations Centers, Information Security Engineering, Blue Teams, Red Teams or Purple Teams. Individuals, on the other hand, find it challenging to enter a field that has become so enormously complex and so rapidly changing that it represents a very steep learning curve,\u201d Flavio Villanustre, vice president of technology and CISO for LexisNexis Risk Solutions in Atlanta and an adviser to the new program, said in a statement announcing the new initiative.Private companiesCompanies are also introducing their own individual initiatives to help bolster both the volume and the available skills within the cybersecurity profession. Case in point is Accenture\u2019s national apprenticeship program. Accenture teams work with community colleges, nonprofit entities and tech academies to recruit and then train apprentices in cybersecurity and other high-demand areas such as digital, data analytics, cloud migration, finance, marketing and human resources. The firm has brought on 125 apprentices between 2016 and 2020, with 85% of them moving into full-time roles in their areas of training.Professional associationsProfessional security-related associations have launched their own initiatives to help both individuals gain in-demand security skills as well as aid enterprise security leaders craft training for their teams. The International Consortium of Minority Cybersecurity Professionals, for example, lists as part of its mission to \u201cfoster recruitment, inclusion and retention\u201d of women and minorities through its programs. One in Tech, the ISACA program, has three initiatives to develop a racially and culturally diverse workforce, to move women into the field and into leadership roles, and to teach under-resourced and under-represented children the digital skills they need now and encourage their pursuit of cybersecurity work in the future. (ISC)\u00b2 offers The Enterprise Guide to Establishing a Cybersecurity Training Program, designed to help companies create plans tailored to their own specific needs.Public sectorGovernment officials have also been active in trying to close the skills gap, with entities such as the National Initiative for Cybersecurity Careers and Studies (NICCS), an online resource for cybersecurity training that connects government employees, students, educators and industry with cybersecurity training providers. More efforts could be forthcoming, as the September 2020 white paper from the Cyberspace Solarium Commission highlighted the need for action. The CSC, established by the 2019 National Defense Authorization Act, cited the continuing need for, and struggle to get, a skilled cyber workforce, with the commission\u2019s co-chairs writing that \u201cwithout talented cyber professionals working the keyboard, all the cutting-edge technology in the world cannot protect the United States in cyber-space. If we do not take action now to ensure that our talented and experienced workforce continues to grow, we are leaving our country vulnerable to future cyber attacks.\u201d The paper, Growing a Stronger Federal Cyber Workforce, details the need to recruit, develop, retain and grow the country\u2019s security profession.Training organizationsSimilarly, many private organizations are trying to tackle the cybersecurity skills gap, with the entities offering programs ranging from the nonprofit SANS Institute with its online training options to Cybrary, an online cybersecurity career development platform. Cybrary says its fall 2020 survey demonstrates the need for expanding training options, noting that 72% of 800 security and IT professionals said skills gaps do indeed exist on their current teams and 65% agreed that those gaps negatively impact their team\u2019s effectiveness. Other organizations, such as Skillsoft and Skillstorm, also offer individual and team training.When it comes to attracting, training, and retaining security talent, one thing is clear: This is a issue with some urgency. The ramifications of the cybersecurity talent shortage are significant, says Jon Oltsik, a senior principal analyst and fellow with ESG. CISOs indicate that the shortage of qualified security professionals means that positions stay open for long stretches and even when they\u2019re filled, new hires are frequently unprepared to fully handle the role. That in turn means they\u2019re less effective in the position and often less capable of using the security tools at their disposal to their full potential. \u201cAll combined, that means organizations are less secure,\u201d Oltsik says.