What Can Be Done to Overcome Cybersecurity Staff Shortage?Experts React to New Report That Identifies Challenges
For the fifth consecutive year, the supply of those with cybersecurity skills is far too low to meet the demand, according to a report by the Information Systems Security Association and industry analyst firm Enterprise Strategy Group.
The report, titled The Life and Times of Cybersecurity Professionals 2021, is based on a global survey of 489 cybersecurity and IT professionals. It found that 57% of organizations are affected by the global cybersecurity skills shortage, and 76% find that hiring and recruiting cybersecurity professionals is difficult.
A Dark Picture
"I would posit that the picture is bleaker than this report suggests. Specifically, the need is growing," says Frank Downs, a former U.S. National Security Agency offensive analyst who is now senior director of proactive services at BlueVoyant.
Mike Hamilton, the former CISO for Seattle, also says the situation is worse than what is portrayed in the report.
"In fact, this report does not address an outstanding and somewhat glaring problem: Many of the applicants for cyber positions are unqualified," says Hamilton, who is the founder and CISO at CI Security.
Insufficient salary levels are the primary contributing factor for the lack of staff members with cybersecurity skills, according to 38% of those surveyed.
"Being offered a higher compensation package is the main reason CISOs leave one organization for another," the report states.
Hamilton argues, however, that the real issue is the dearth of workers, which inflates their value.
"In my opinion, most are being compensated fairly, and if it were not a 'seller's market,' there would not be as much pressure on compensation," he says. "We're all looking forward to the day when cyber practitioners litter the landscape, are qualified and salaries come down."
Matthew Webster, CISO at Galway Holdings, says the salary offered for an open position directly affects the caliber of applicants.
"Generally speaking, with exceptions, I've had reasonably good luck with salary for my employees. If I am hiring, if I am not given enough, it shows through in the candidates," he says.
Downs says that cybersecurity pros have an accurate idea of their earnings potential and are willing to change jobs for compensation or other issues.
"Attrition is a real problem in companies when it comes to cybersecurity," he says. "Not only do budgets need to change to fairly compensate these professionals, organizations need to change their cultures and views of the value cyber professionals bring to their companies."
Some 39% of survey respondents said their organization needs more funding to train cybersecurity workers.
"To maintain and advance their skill sets, many cybersecurity professionals seek to achieve at least 40 hours of training each year," the report states.
Downs believes an organization is usually to blame if cybersecurity workers do not have the time or funds to pursue certificates or a higher level of education. He recommends companies cover the costs when a worker expresses an interest in improving their skills and make sure there is time built into their schedule to accomplish their goals.
"In my experience, the only time an organization suffers from an employee pursuing a certification or degree is when that company is supremely understaffed and depends too much on those employees," he says. "Cybersecurity is a field that requires constant training and upkeep. If a company isn't willing to support their assets, they will lose them to another company that will support those professionals."
Charmaine Valmonte, head of IT security and infrastructure at Aboitiz Group of Companies, stresses that time for training must be built into staff members' schedules, and each individual needs a personalized development plan.
"For our team, we allocate and plan each member taking on a certification of their choice in their field of interest per year," Valmonte says. "The vendor production presentations, seminars, online subscriptions and facilitating training to employees and weekly two-hour technical training time are part of our team's operations plan for the year."
The report found about 30% of cyber professionals believe their human resource departments likely exclude strong job candidates because the departments don't understand the skills necessary to work in cybersecurity. Another 25% say the job postings placed by their human resource departments are unrealistic, demanding too much experience, too many certifications or too many specific technical skills.
CISOs must try to better educate recruiters on real-world cybersecurity goals and needs so they have a better understanding of the typical levels of experience cybersecurity professionals need for a given position, the report says.
Mark Eggleston, global CISO at CSC Global, says that every team member should have a career ladder and training. Those workers that take advantage of training should be formally recognized, he says.
"Many human resource fields view cybersecurity as synonymous with IT," Downs says. "The two career fields are related, but also very different. As such, it is hard for maligned HR organizations to find cybersecurity talent."
DHS Secretary Makes a Plea
The cybersecurity skills shortage also extends deeply into the federal government.
At the Black Hat 2021 conference last week, Department of Homeland Security Secretary Alejandro Mayorkas made an impassioned plea for cybersecurity workers to consider a career in government service.
"Come work with us at the Department of Homeland Security. Join our team of cybersecurity experts at CISA and the rest of DHS. Lead the charge on the inside and help us tackle growing challenges head-on," Mayorkas said. "I cannot overstate the pride and sense of profound fulfillment one will have in joining our team. You can really do a lot here with us."
Mayorkas said the government's Cybersecurity Talent Management System initiative will give DHS and other federal agencies more flexibility to hire cyber talent.
"We are increasing access to the field of cybersecurity across every level. We seek to draw on every ounce of talent and maximize the incredible potential that exists in communities across our country. We want every voice at the table," Mayorkas said.