Anyone who works in the cyber security field probably knows how difficult it is for companies to fill security-related job openings. But the shortage has been made all the more worrisome, given the growing severity and frequency of attacks. And according to recent research, the shortage is getting worse.
The global cyber security workforce shortage is on pace to hit 1.8 million by 2022, a 20% increase since 2015. That’s according to a report conducted by Frost & Sullivan for the Center for Cyber Safety and Education, with the support of (ISC)2, Booz Allen Hamilton and Alta Associates.
The Global Information Security Workforce Study finds that 68% of workers in North America think the workforce gap is due to a lack of qualified personnel. The survey incorporates insights from more than 19,000 cyber security professionals.
There is a clear concern that jobs remain unfilled, ultimately resulting in a lack of resources to face current industry threats, according to David Shearer, CEO at (ISC)2, an international non-profit membership association that provides security certifications.
Of the information security workers surveyed, 66% reported having too few of workers to address current threats. “We're going to have to figure out how we communicate with each other, and the industry will have to learn what to do to attract, enable and retain the cyber security talent needed to combat today's risks," Shearer said.
To help combat the growing gap, one third of hiring managers globally are planning to increase the size of their departments by 15% or more.
The report recommends that employers look for new recruitment channels and unconventional strategies and techniques to fill the worker gap. While survey respondents think the number one reason for the shortage is difficulty in finding qualified personnel, they also said job requirements are not understood by leadership.
The study shows that 70% of employers around the world are looking to increase the size of their cyber security staff this year. Currently 90% of the workforce is male, with the majority of security professionals having technical backgrounds. The report said this highlights the issue that recruitment channels and tactics need to change.
A majority of cyber security workers globally (87%) did not start out in cyber security, yet 94% of hiring managers indicate that existing experience in the field is an important consideration. One third of executives and C-suite professionals began in non-technical careers, the study said.
Other resources provide indicators of just how serious the shortfall in security skills has become. A June 2017 article in CSO, which provides a good overview of the cyber security workforce shortage, noted that the global cyber crime epidemic “is creating an unprecedented shortage of cyber security workers.”
The article listed a number of facts, figures, and observations on the cyber security employment crisis. For example, Cybersecurity Ventures, a research firm covering the global cyber economy, has predicted that there will be 3.5 million cyber security job openings worldwide by 2021.
The article also notes that in 2017 the U.S. is employing nearly 780,000 people in cyber security positions, with about 350,000 current cyber security openings, according to CyberSeek, a project supported by the National Initiative for Cybersecurity Education (NICE). NICE is a program of the National Institute of Standards and Technology (NIST) in the U.S. Department of Commerce.
In addition, the current number of U.S. cyber security job openings is up from 209,000 in 2015. And at that time, job listing were already up 74% from the previous five years, according to a Peninsula Press analysis of numbers from the U.S. Bureau of Labor Statistics.
The shortage of security workers is being felt in a number of countries, even those that have a large supply of technology professionals. The CSO article noted that the National Association of Software and Services Companies (NASSCOM) estimated that India alone will require one million cyber security professionals by 2020 in order to meet the demands of its fast-growing economy.
All of this points to a key conclusion: the number of people with cyber security skills available in the market today is not nearly enough to meet demand. And this comes at a time when organizations are facing growing threats. Think of the recent ransomware incidents that made headlines worldwide.
The good news for organizations is that there are a number of excellent cyber security degree programs being offered by colleges and universities. The big question is whether those institutions and others will be able to turn out skilled professionals fast enough to meet the rising demand.