Note: This article is based on the broadcast recording hosted by Chuck Harold of Security Guy TV on cybersecurity talent shortage last October 24, 2017. You can watch the recording here or continue reading this article containing Tim McCreight's interview extracts below.
In a world of increasing data breaches and security threats, the need for talented cybersecurity professionals has never been more important. However, a majority of companies are quickly realizing that being able to find savvy and qualified candidates is a bigger challenge than originally believed.
In a recent report, Cisco estimated that as many as 1 million cybersecurity openings are currently going unfilled across the globe. Another study by Cybersecurity Ventures predicts that there will be more than 3.5 million openings in cybersecurity industries by 2021, driven by advanced cyber attacks and sophisticated data compromises.
Although the causes of this shortage vary, one thing is for sure, it is causing major issues among companies.
As mentioned, there are a large variety of causes for the shortage in skilled workers. While some of the problem can simply be due to lack of qualifications, one of the biggest reasons for the shortage is simply that the field as a whole is young.
Cybersecurity in itself is constantly growing and evolving, so education must change with that, too. However, universities are already having problems keeping up with the demand and incorporating the newest skills into their curriculum. Even if someone does graduate with a focus in cybersecurity, their expertise may not be up-to-date with the latest threats or industry knowledge.
Another reason that contributes to the shortage is that new engineers prefer to follow different routes, such as the Internet of Things, cryptocurrency and blockchain, or Big Data.
Cybersecurity is a challenging industry because regardless of the number of professionals or vacancies, the threats aren’t going away.
A new report conducted by Juniper Research estimates that cybercrime will cost global businesses over $8 trillion in the next five years. As security measures increase, cyber criminals only continue to become more organized and aggressive, and use more sophisticated attack methods.
The lack of skilled experts to ward off and protect against these threats is not only being felt in tech companies, but literally every industry across the board. Any institution that has data (whether their own, customers’, or patients’) can become a victim of malware, and unfortunately, most already have. One of the first steps a majority of organizations take is to hire a full-time cybersecurity professional to mitigate these risks, however, that comes with a fairly hefty price tag.
Due to the shortage of qualified candidates, the competition among companies is quickly driving up salaries and benefit packages (such as unlimited vacation time, free meals, access to trainings and conferences, etc.). As workers recognize the demand, they have an added advantage over organizations that desperately need their expertise, pushing these compensations even further- a big bonus for employees but not so much for the business.
Some of the most common careers in cybersecurity include:
While the salaries for these positions greatly vary depending on location, experience, education, and other factors, there are some average numbers that interested candidates can utilize to inform their decision.
For instance, the US average salary for a Security Engineer is $138,000, while the same average for a Software Security Engineer is $140,000. Given the fact that security is required 24/7, and typically more than one employee would be needed for the job at a time, these costs add up and can truly be a deal breaker for many companies.
Answers by Tim McCreight, member of the Board of Directors of ASIS International
In 1981, I started to work in physical security as a Chief Security Officer in a hotel in Winnipeg, Manitoba, Canada. I learned about fraud investigations, forensics through HR files and executive protection.
In 1998, I came to realize that Internet will stick around for a little while. Plus, in the physical security industry, I saw more and more devices being attached to the corporate network, such as cameras or card access, and it was starting to scare me. No one was thinking of these being part of the IT network; they were considered part of physical security devices.
That’s when I decided to focus my time on IT security and go back to school. I spent 2 years at a technical college in Edmonton, Alberta, Canada, and learned about computer systems technology. Personally, I didn’t want to code, I wanted to break things. I learned that if I could figure out how to break it, I could also figure out how to protect it.
Moving forward, I worked in information security roles and became Chief Information Security Officer (CISO) or the equivalent in four different companies from 2000 until today.
Yes. We currently experience a shortage between 1 million and 1.8 million qualified people in the physical and cyber security industry. Today’s CISOs struggle between choosing to build their own IT security dream teams or outsourcing their security to a trusted security service provider. Now the question is, if we put 1 million people in a college and train them for 4-5 years every year for 20 years, would there be such a talent shortage? Did we miss the window to get that done?
When I was CISO of Alberta, I didn’t have a degree, I had completed grade 12 and a college diploma on computer systems technology and I ran the security for a 48 billion dollar a year organization with IT operations around the world.
You can do this. I’m the living proof that someone who is not technical can become a part of the IT security world because you think of things from a risk perspective. You don’t get tied down to “I can’t” but to “How can I?”. I was interested in knowing how things worked. I learned earlier on, I wasn’t that technical guy but I wanted to learn enough to at least be relevant in a conversation so I needed to understand the technology. I spent time doing my own research before going back to school.
However, how are we going to come up with that volume of people and convince them that cybersecurity is an actual career, that you can make a living out of this, that you can provide value to an organization, that you are going to enable a company to achieve its objectives? I would love to see more people come onboard and go through a university and college programs, but the challenge of gathering so many people that quickly remains.
As professionals, we need to start bringing people in. In the old days, we used to have on-the-job training programs. Like in the military, we just got people coming in, people who had an understanding and an interest in the job and we would teach them on the fly. Maybe we could be looking into that. I met a lot of people throughout my career that didn’t have any university degrees but they had this desire, this will of curiosity to know how things work. They were self-taught, they spent time learning.
Is there a way we could start bringing people in this industry and train them on the way and give them a formal training once they get established, once they start understanding where they want to explore and grow?
We are going to have to. We have to find solutions. Otherwise, how are we going to deal with 1.8 million of people to train? It will become a huge burden.
How can we get the next generation to be interested in cybersecurity? There are great cyber titans’ programs in the United States and in Canada targeting junior high and high school students as well as post-secondary education students.
We must get to the point where kids get hooked at a junior high level so that they can start looking at this as an opportunity and chance to learn skills early. Can they bring those skills forwards as they get into high school? Can they take these as a career when they enter university? Can they do an on-the-job training program once they get into high school? They could get an understanding of vulnerability management by giving a try at some penetration testing or white-hat hacking to understand part of cybersecurity.
How do we get people to get engaged in our industry, start thinking about it from a risk perspective and look at the different components?
Take a home inspector for example. From the time a home inspector gets out of his truck, gets your ladder out and starts walking up on the sidewalk with clients to take a look at the home, he’s conducting a risk assessment. From a compliance perspective, he knows what he needs to see from a building code, he needs to understand the diverse types of building structures, how old this facility is, what the original electrical code was etc. All of what he is doing is making observations and documenting them for clients. He is providing them with his assessment of risk, giving them a timeline of when they would need to change the roof, electricals, windows, as well as their cost. All of these will help making the final buying decision and will be taken into account when the buyers will provide an offer and when they will start planning their future budget to remediate the risks.
We need to know how do we stay relevant inside the industry that we are in. Regardless of the field we are in, whether it is in physical or cyber security, it is our job to identify and reduce the risks on behalf of an organization. The trick is to remain relevant in your role. Can you understand the different components that make up the risk program or the security program? Can I provide value by offering my skill set to the other side?
We need to understand the concept of relevance and how to continue to remain relevant in an industry that is constantly changing.
Yes, partially. Most people try to embrace change. If people understand that there is an opportunity to move forward in their career by willing to learn more, it is possible to have a good knowledge of cybersecurity.
Once you understand what the risk is, regardless of the physical or IT security, you can leverage your knowledge in physical security, for example walking the perimeter, checking the doors etc. In the end, it comes down to asking yourself a few very simple questions:
More and more, we have become numb to the concept of a breach. We have become numb to the idea that our privacy and confidential information is readily available, numb to the sheer volume of how many times we’ve been contacted by a credit card company saying that a certain hotel got breached or that our PlayStation account got hacked.
We created this massive data about each one of us and we are dealing with companies that may or may not have the budget or the ability to address the risk but are taking your information anyway to provide a service. Unfortunately, many organizations don’t have proper risk practices in place and executives just ignore the risk and cross their fingers to make sure that we are not going to get hacked.
How to deal with the repercussions? The repercussions are not something you are going to see tomorrow. This is a problem that will occur 20 years from now but that we need to deal with today.
With so much at stake, organizations simply cannot afford to have weak security any longer, but the idea of spending more than $900,000 a year may not be feasible. An option could be to partner with an Managed Security Services Provider. MSSPs offer services for the oversight and administration of a company's security systems and processes. Their services are usually conducted remotely and include setting up the infrastructure and incident response along with threat monitoring, compliance, and data protection.
As systems become more cloud-based, and cyber security threats only continue to increase in complexity, the need for an MSSP and the services they provide has never been more important. While there are many benefits to hiring an MSSP, one of the most appealing is the amount of savings they provide.
Related post: Benefits of an MSSP
Some of the other benefits of hiring an MSSP include:
When it comes to the security of company infrastructure and data, it is never something to take lightly. If you find that the talent shortage is making salaries too competitive for your company to keep up, there are other options available.