maxoidos - Fotolia
No matter how you spin it, a shortage of 1 million workers in any industry is a problem. But when you're talking about the expected worldwide shortage of information security professionals, especially as cyberattacks climb each year, a million is an alarming number -- and one that our industry needs to face head-on.
The cybersecurity skills gap has developed over time, and it's a gap I've witnessed firsthand. Ten years ago, when I worked in IT but not yet in a security capacity, a cybersecurity skills gap didn't exist.
Of course, some organizations, especially those in regulated industries that manage data related to people -- finance, healthcare, military and insurance -- have had in-house security teams for years. But for most companies, it just wasn't a pressing IT requirement. Cyberattacks weren't very common at the time, so there was little need for a specialized, in-house security team to combat the threat.
At the time, security was ad hoc and largely reactive. You had as-needed security committees, not dedicated departments. If a breach occurred, and assuming IT realized it had been hacked, the team would usually just fortify its network perimeter and take additional action to prevent it from happening again.
Security now spearheaded by specialists
It's a different story today. Security is now a proactive process, led by in-house specialists. As such, the demand for dedicated security professionals is much higher -- so high that organizations, including the federal government, can't seem to find the talent they need. In the aftermath of the Office of Personnel Management (OPM) hack earlier this summer, U.S. CIO Tony Scott said that identifying security talent is "the hardest recruiting that there is on the planet today."
So, why does this growing cybersecurity skills gap exist? Why has even the federal government struggled to find skilled people? A few factors are at play.
First, cybersecurity is a very specific field. If you want to work in cybersecurity, your background must encompass both computer science and networking. You must be acutely aware of the cybersecurity landscape -- from older, static threats like malware to new ones like advanced persistent threats. It's challenging to find experts possessing this breadth and depth of skills.
Additionally, as companies build their in-house security teams, they're often pulling talent from their general IT departments. Think of the systems administrator who never intended to have a career in security, but is now the person responsible for protecting core elements of the company's network. A person with no interest in security is just as big of a problem as a person with no security skills at all.
This role-to-skills mismatch is just as common among high-level IT security officers, such as CIOs and CISOs. In these roles, they have primary responsibility for building and managing a reliable team of security experts and resources, whereas in the past, they primarily focused on building and managing information technology systems.
The bounce-back factor is an important ingredient
This relates to the last factor, which is that IT security pros need thick skin. It's common for security teams, and particularly C-level security officers, to come under fire when an attack is successfully launched against the company -- no matter the context. Perhaps that's in part why a CIO's average tenure is only four years. The reality is that almost every company today experiences some kind of cyberattack. Security teams must be resilient, bounce back quickly and learn from these attacks, so they don't happen again.
A gap of 1 million IT security pros won't be erased overnight, and for many companies, it could take years before their security staffing needs are met. In the meantime, understaffed and under-resourced IT security departments will need to depend on security technology -- from centrally managed remote access VPN offerings to threat detection system firewalls -- to help them gain reach and better protect their organizations.
Such a platform -- robust and automated -- will enable companies to defend themselves from today's most considerable threats, no matter how large their security talent deficit may be.
Enterprises race to find InfoSec professionals
Steps to address long-term security professional shortage
How to start a career in cybersecurity
Cybersecurity problem-solving skills enterprises need to counter threats
Dig Deeper on Network Security Best Practices and Products
Related Q&A from Julian Weinberger
How should cybersecurity-enforcement efforts adapt as digital assistant devices become more pervasive in business enterprise networking to safeguard ... Continue Reading
Expert Julian Weinberger says limiting user VPN access can help enterprises enforce security and BYOD policies and reduce risk at the same time. Continue Reading