Security skills shortage is real, and it's not going away anytime soon

Companies face a number of short-term challenges, RAND Corp. says

There's good news and bad on the cybersecurity skills availability front.

On the positive side, the current shortage of cybersecurity professionals in the U.S will likely resolve itself over the next several years as the result of recent efforts involving education, training and security awareness.

But for the time being, organizations will find it disturbingly difficult to find the skilled workers they need to defend themselves from internal and external threats, the RAND Corp. warned this week.

Not only will cybersecurity skills become increasingly costly, they will also become very hard to come by in the near future, said Martin Libicki, one of the authors of a 125-page report from RAND.

"There's plenty of evidence that there is a shortage" of cybersecurity professionals -- especially within government organizations, Libicki said. "The problem cannot be solved overnight. It will take a long time to get the right people into this profession."

The RAND report examines the nature and the source of the cybersecurity skills shortage in the U.S. and how the private sector and the government have responded to the crisis.

Demand for security professionals has skyrocketed since 2007 as the result of increased connectivity, raised awareness, more vulnerabilities and ever more hacker activity. The sudden and rapid rise in demand has led to substantial increases in compensation packages for security professionals in recent years, but that has done little to attract new cybersecurity professionals, RAND said.

"In the longer term, as long as demand does not continue to rise, higher compensation packages and increased efforts to train and educate people in cybersecurity should increase the number of workers in the field" -- putting downward pressure on salaries, it noted.

Some of the increased demand may also run counter to the underlying realities. Because of the heightened attention paid to cybersecurity, it's possible that some companies think they're at greater risk than they were a few years ago and assume they need more people.

As organizations come to better understand their true security needs, demand for cybersecurity workers may fall in the longer term, RAND said.

Here are four other takeaways from the report

Government organizations are hurting the most

The increased demand for cybersecurity professionals has pushed compensation packages to levels that government organizations have a hard time matching. This is especially true for their ability to attract or retain top-level security professionals, Libicki said.

Government compensation is often constrained by rigid pay scales and grade levels that restrict the ability of agencies to hire the skills they need in a supply-constrained labor market. The problem is less acute for lower to mid-tier IT security pros.

"However, once professionals can command more than $250,000 a year, the competitiveness of the U.S. government as an employer suffers correspondingly," the report noted. Though special rates are often available to senior level IT specialists, the long recruitment processes, vetting and security clearance delays can discourage candidates.

Companies can pay all they want and still not find enough people

In the short term, the supply side of the manpower equation will not be responsive to higher salaries because there simply aren't enough professionals to go around. Since training and educating a new generation of cybersecurity workers can take years, organizations that need security skills will be hard pressed to find them.

On a positive note, the higher compensation packages offered to security professionals could begin to attract would-be hires from other areas such as engineering.

Organizations should look at alternate approaches

Companies and government entities should consider adopting more secure system architectures and best practices to reduce their dependence on manpower. Organizations spend close to $70 billion on cybersecurity annually around the world, Libicki said. If even a 10th that amount was invested in making software more secure, there would be less of need for so many cybersecurity professionals.

"We have a model that basically says 'I accept the world of software as is and I am going to patch everything at a systemic level,'" he said. It is an approach that is basically unsustainable in the long term. A company that has 600 security professionals today might require 1,000 in a few years -- and still not be secure.

Importing talent may not be a good approach

A great deal of cybersecurity work is already internationalized, RAND said. For another, bringing in workers from other countries could depress wages and discourage U.S.-born professionals from entering the field. This could become a problem because foreign-born nationals will not have the security clearances required to work for many government organizations.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about it careers in Computerworld's IT Careers Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityIT careers

More about Topic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place