The cybersecurity talent shortage keeps getting worse. According to Cybersecurity Ventures, the cost of cybercrime will double from $3 trillion globally in 2015 to $6 trillion by 2021. Meanwhile, the number of open cybersecurity jobs will increase from 1 million in 2016 to 1.5 million by 2019.
Meanwhile, the scale and damage of the attacks continues to increase. According to Juniper Research, 2.8 billion customer data records are expected to be stolen this year, increasing to 5 billion by 2022. The total cost of ransomware attacks alone is estimated to reach $5 billion this year, according to Cybersecurity Ventures, up from $325 million in 2015.
Right now, in the United States, there are nearly 350,000 job openings for cybersecurity professionals, and fewer than 800,000 people total in the nation's cybersecurity work force, according to CyberSeek. The number of people with security certifications is also in short supply. There are 30,000 open postings for people with the Certified Information Security Manager certification -- but only about 10,500 certificate holders.
Looking outside the box
That makes traditional recruiting very difficult, and companies need to look for other ways to find people beyond posting help wanted ads, hiring recruiters, and searching for professionals who are already trained and experienced in the work.
One option is to look for people in related technology professions, says Alan Cohen, chief commercial officer at Sunnyvale, Calif.-based Illumio. "Lots of smart IT people are moving into information security," he says. "As things become more software-led, application developers and operations people will filter into important security roles."
Another untapped resource is women. Currently, only 11 percent of the information security workforce is female, according to the ISC2. Improving diversity would go a long way to addressing the talent shortage. "To me, diversity is about finding talent where people are not looking," says Cohen. "One example of a forum we frequent is Women in Technology International."
Other good sources are people with government and military experience, he says. "There are both amazing skills and talent available in the government realm," he says. "Not only do many of them have technical training in the right areas, they have the ability to master new skills and not shrink under pressure." The company also holds hackathons at college campuses to discover new talent, he adds.
They're not the only one looking to competitions. "One of the most effective ways at finding information security talent is through participation in regional hacking conferences, such as Defcon in Las Vegas and HackMiami in South Florida," says Alex Heid, chief research officer at New York-based SecurityScorecard, Inc.
According to Heid, organized competitive hacking is now a sport, and a great way to practice both offensive and defensive technique in a live fire environment. "Some information security companies have mini Capture the Flag hacking challenges that are presented to candidates during the interview process, and it seems to be a useful tool for identifying talent right away," he says.
Trend Micro, Inc., has taken this a step further. The company has been running its Capture the Flag competition for three years, says Ed Cabrera, the company's chief cybersecurity officer. "It's a fantastic way to provide opportunities for us to identify individuals who have the talent and aptitude," he says.
It's a global competition, and this year's finals are in Japan, with the top competitors getting a free trip to the event. "We might not hire any of them, or may hire some of them," Cabrera says. "But either way it gives us a great pool of individuals to look at."
Silicon Valley isn't the only place to find smart cybersecurity people, Cabrera says, and the global nature of the competition is one of the ways the company is looking outside the region. "In this day and age that type of capability and talent is global," he says. "For example, I just spoke at a panel in Miami, at an event focused at tech startups in Central and South America and the Caribbean area."
Trend Micro also looks for people who are already working at the company, but in different jobs. "The individual might be working in a business unit that doesn't challenge them, or give them the opportunity to show off their skills," Cabrera says.
Too often, there's too much emphasis put on the technical skills, Cabrera says. "A lot of what goes into cybersecurity is not necessarily the technical skills but the soft skills, the investigating mindset, ability to solve problems," he says. "I always would look towards the more soft skills, the enthusiasm, the problem solving, and the creativity side, and include that into my analysis."
Cabrera himself started out by investigating financial crimes, and moved into cybersecurity later on in life. "I'm a late bloomer," he says.
Trend Micro isn't the only company willing to look at people with non-traditional backgrounds. "We've had people on our SOC team who have music and art backgrounds," says Janet Levesque, CISO at Bedford, Mass.-based RSA Security. "There is something about musical backgrounds that seems to have a lot of synergies with what you need to do in cyber. Some of that is being able to pick things up quickly. So if someone can sight read music, or pick up information quickly, and has creative problem solving skills... we've had a lot of people who come out of diverse fields."
Given how fast cybersecurity is evolving, good analytical skills are more valuable than knowing a particular technology, Levesque adds. "The technology that you may use today might be obsolete tomorrow," she says.
To help non-traditional hires get going in their jobs, RSA offers a combination of on-the-job training, company-sponsored training, and funding for external training and education programs. Plus, RSA offers proprietary training to customers on its products, so employees get that, as well. "We drink our own champagne at RSA," Levesque says.
The war for talent
When it comes to hiring the best, most experienced people, there's a war on. Companies have to step up both their offensive and defensive capabilities in order to find and retain the talent they need. "The people you want already have jobs," says Bob Heckman, VP and CISO at Vienna, Virginia-based Criterion Systems, Inc.
To get to the best people, to those who are successful and happy in their jobs, and aren't actively job hunting, takes work. One successful strategy is to draw on the personal connections of your own employees, Heckman says.
"We have a cybersecurity architect who is brilliant, and his personal reputation draws other people like him," he says. That means that the current employees have to be able to make friends, build reputations and personal networks. "Not only do we encourage it, we make them do it," says Heckman. "We make them attend cyber functions that aren't sales."
That includes participating in more technically advanced, smaller meetings. It also includes very private events that the company has access to because of the classified work that it does.
A company also has to be careful not to come off as too predatory when meeting people at industry events, he adds. "If you come off looking like you're using it as a recruiting event, they all leave," he says. "It has to be natural."
It can take time, he adds. "A lot of companies actually maintain your own personal database of cyber talent that they continue to track through their careers," he says. "They continue to actively reach out to these folks and see what they're doing in their careers and if they're doing anything new, maintaining the relationships in the community."
Then, to bring those people in, and keep them, takes a good understanding of what they really want from their jobs. "Cyber people are special," says Christy Cooper, Criterion's senior recruiter specializing in cybersecurity.
To keep them happy, the company focuses on helping them develop their careers, investing in continuing education as well as project-related certifications. To keep people from getting burned out, they can cycle through different security jobs at the company that helps make them more well-rounded. Happy employees also help with recruitment, Cooper adds.
"Make sure that the team that is already on the ground and working demonstrates that they enjoy what they do," Cooper says. "If you enjoy the people you work with, enjoy the mission, that comes across. People want to come work for you."
Growing the pie
One of the biggest challenges the cybersecurity profession faces is getting people into the pipeline early, and there have been a number of different industry efforts to address that. According to a 2017 study by Raytheon, the number of young adults aware of what cybersecurity professionals do has been going up.
In 2015, 46 percent of young men and 33 percent of young women were aware about cyber careers, and that increased to 54 percent of young men and 36 percent of young women in 2016. Interest in cyber careers is also going up, with 43 percent of men and 30 percent of women saying they were more likely to go into cybersecurity than they were a year before. The number of U.S. millennials who says that there are cybersecurity programs or activities available to them has increased from 57 percent in 2015 to 70 percent last year.
One of the companies offering such activities is IBM with its Hacker Highschool project for teens and young adults. IBM is also investing in vocational training and coding camps, skills-based certifications, associate degree programs, and training programs for military veterans. According to the company, nearly 20 percent of the security employees IBM hired since 2015 have non-traditional "new collar" backgrounds.
Other companies are also trying to help improve cybersecurity education. Germany-based NTT Security, for example, is working to develop relationships with universities that help the company go beyond just participating in career fairs. "We have employees who participate in advisory boards to help universities develop relevant curriculum for careers in cybersecurity," says Stewart Brooks, NTT’s director of global talent acquisition. That includes the University of Nebraska-Omaha, Dakota State University, Robert Morris University and the Pittsburgh Technology College.
In addition, the company is sponsoring SANS Institute trainings and certifications through the Vet Success Program. "The SANS Institute also has a newer program which focuses on women in the cybersecurity field," Brooks added. "This is something that we are looking at partnering with them as well."
Palo Alto Networks is looking even earlier in the pipeline, with a partnership with the Girl Scouts. Girls in grades starting with kindergarten will be able to work on their cybersecurity badges starting this coming September.