What do the FBI, Trump’s hotel chain, Sony, and JP Morgan Chase all have in common? They are all companies that were hacked in 2014 and 2015, each one a reminder to the rest of us that no one is immune to the threat of criminal hackers. Just this October, a cyber attack disrupted PayPal, Twitter, Spotify, and multiple other websites.
Cyber attacks damage not only a company’s reputation, but also its bottom line. One study suggested the average cost of a data breach in 2015 was $3.8 million. As the costs of data breaches climb, so too does the demand for cyber security experts.
Unfortunately, too many companies are coming up short in their search for skilled professionals to help protect them from cyber attack. A study conducted by Intel Security with the Center for Strategic and International Studies (CSIS) found more than 80% of IT organizations in eight countries face a shortage of workers who specialized in cyber security.
In other words, there is a serious skills gap in cyber security.
Where did this gap come from? Given the short supply of cyber security talent, how can companies find the cyber security skills they need?
The Cybersecurity Skills Gap Leaves Us Vulnerable
“The deficit of cyber security talent is a challenge for every industry sector. The lack of trained personnel exacerbates the already difficult task of managing cyber security risks,” according to the CSIS report.
The current shortage of cyber security skills is concerning for companies in all industries. One in four of the IT professionals surveyed said their organizations had been victims of cyber theft because of their lack of qualified workers.
It is estimated that by 2019, between one to two million cyber security positions will be left unfilled. In the United States alone, 209,000 cyber security positions in 2015 sat vacant because of the shortage of cyber security skills.
Hackers are taking notice of this gap. Worryingly, 33% of respondents to the Intel Security-CSIS survey said their organization was a target for hackers who knew their cyber security was not strong enough.
Origins of the Cybersecurity Gap
With the risks and damages of cyber attacks increasing every year, it stands to reason that we’d see an equal increase in trained professionals ready to combat these attacks. It’s clear that hackers are advancing their skills and methods quickly, so why are we struggling to find skilled cyber security experts?
Numerous factors have led to the skills shortage, but the two most prominent lie in the shortcomings of educational programs and insufficient government policies.
While the United States has many cyber security programs in top universities, this is not enough to overcome the challenges in the education field. It is difficult for IT programs at universities and vocational programs to keep up with the rapid pace of change within the IT field.
As a result, only 23% of IT professionals believe education programs fully prepare cyber security professionals for the industry, says the CSIS report. That’s less than half of trained IT workers who graduate feeling adequately prepared to go up against today’s cyber threats.
The second factor is related to the first. The insufficiencies of our educational programs are in part due to the fact that governments aren’t investing enough in cyber security education. More than three in four IT professionals agreed that their government needs to invest more in building cyber security talent.
Neither have governments crafted sufficient laws and regulations for cyber security. More than half of IT professionals surveyed said the cyber security laws in their country could be improved.
Together, inadequate education and government policy concerning cyber security have helped create the skills gap we see today. Highly technical skills are most in demand, with the following three being most cited: Intrusion detection, secure software development, attack mitigation
“Conventional education and policies can’t meet demand,” declares the Intel Security-CSIS study. “New solutions are needed to build the cyber security workforce necessary in a networked world.”
Fortunately, it’s not hard to see what some of these solutions should be.
Finding Ways To Fill the Gap
Given its severity, it will take real commitment to address the shortage of cyber security skills. Here are a few good places to start.
Education and training solutions
As traditional academic programs fail to impart necessary cyber security skills, workers and employers are addressing the skills gap through unconventional education methods.
As one example, AT&T and Udacity offer a “nanodegree,” which promises to provide “industry credentials for today’s tech job” through courses on information security, building secure servers, and more.
Within academia, current cyber security programs should pivot to provide more hands-on experience and training. A traditional lecture can only go so far in preparing students for working in the cyber security field; real-world experience makes a huge difference. Many companies have already begun incorporating ongoing cyber security education and training into the workplace.
This training is important for staff retention, too. Nearly half of survey participants said a lack of training, or sponsorship for certification programs, were common reasons for employees to leave their organization. The cost of outside training is often too high for employees to pay on their own. Companies who are willing to foot the bill for these costs have an advantage in attracting and retaining cyber security talent.
It’s time for governments to take the skills gap more seriously, and that means investing in cyber security and updating cyber security laws.
According to Intel Security-CSIS, another important step is to collect more national data and standardize the taxonomy for cyber security job functions. Currently, a lack of data makes it difficult to develop targeted cyber security policies and measure their effectiveness.
Relying on outsourcing
Unfortunately for the thousands of companies in need of cyber security skills, there’s no immediate fix. In the long run, government investment and nimbler academic programs are necessary to close the gap in cyber security skills.
These solutions will take time, and until then, many companies are responding to in-house talent shortages by outsourcing cyber security work. More than 60% of survey respondents worked at organizations that outsourced at least some cyber security work. They most often outsourced risk assessment and mitigation, network monitoring and access management, and repair of compromised systems.
For many companies, outsourcing is the only way to get the cyber security skills they desperately need. The skills shortage has driven up the value of in-house cyber security employees, with the median cyber security salary nearly three times the average wage according to the CSIS survey. In the United States, cyber security jobs pay an average of $6,500 more than other IT professions.
Big cyber security spenders -- like the United States government and the financial services industry -- may be able to pay the rates cyber security professionals demand, but other organizations will struggle to do so. For these organizations, outsourcing may be their best option.
In time, academic programs and government policy can catch up to the growing demand for cyber security skills, and it’s essential that nations devote resources to these goals. For now, if companies don’t have the skills they require, third-party cyber security firms offer the best chance at protecting them from the ever-present threat of cyber attack.