The nature and severity of the cybersecurity skills gap, or skills shortage, fosters debate across media, business, and the industry itself. The latest research from the International Information System Security Certification Consortium (ISC)² focuses on accurate figures regarding the cybersecurity profession. Most pertinent is that the global cybersecurity job skills gap has grown to almost three million, contributing to concerns around attracting and retaining sufficient skills in the cybersecurity industry.
However, data relating to vacant job roles and insufficient cybersecurity skills rarely highlight the reasons, background, and reality of these situations. While most security professionals will agree there is a shortage of cybersecurity skills, they’ll also stipulate that the very nature of cybersecurity as a profession is difficult to define, and thus that it is difficult to calculate the scale of any skills gap.
In reality, the profession is stuck in a never-ending need to catch up with developing cyberthreats, in turn creating distance between qualified professionals’ knowledge and the threatscape they are defending against. This skills gap is not a reflection of poor-quality cybersecurity training, knowledge, or effort. Rather, it’s an indicator that technology and the criminal malice that follows it are developing quickly, outpacing the industry’s ability to recruit and train enough new talent.
Due to the rapid development of information technologies, connectivity, and related cyberthreats, it’s easy for consumers, organisations, and government agencies to forget how young the cybersecurity profession is. The notion of cybersecurity gained prominence in the 1970s, when the greatest threats to confidential information were malicious insiders reading documents stored on computers.
As computers became increasingly connected in the early 1980s, cybersecurity concerns multiplied as governments and large organisations realised they needed protection from malicious computer and network activity. Few industries have had to keep up with a rapidly-evolving cybersecurity landscape that has the ability to take down individuals, organisations, and governments.
Cybersecurity professionals tend to be highly-trained and well-certified but, as the context of malware develops, cybersecurity professionals need to fit increasing demands and workloads into their daily lives.
Today, cybersecurity professionals mostly agree there’s a shortage of skilled employees in, and a deficit in the numbers entering, the security space. In 2016, the Australian Information Security Association surveyed cybersecurity staff, and revealed nearly 78 per cent of respondents agreed or strongly agreed there’s a scarcity of qualified cybersecurity workers for available positions in Australia.
Previous studies of the cybersecurity skills gap have arrived at different answers and revealed different findings, showing that, in an industry born in the 1980s, things like skills gaps, job demand, and employment statistics are hard to measure. Many organisations have consistently failed to attract enough people into the cybersecurity profession, or ensure they have the right skills.
Questions around how many people are required to combat developing threats, how professionals who’ve graduated from cybersecurity skills training can stay up to date with continually evolving risks, and how to keep pace with the rate of technology development and deployment, are yet to be answered.
Ideally, well-trained professionals should enter the workforce fully prepared and competent to combat threats. However, as new devices or technologies enter the market, cybercriminals can update and improve malware, access additional entry points, and charge ahead of security professionals. These constant developments in cybercrime, technology, and workloads contribute significantly to the increasing the skills gap.
Ultimately, addressing the cybersecurity skills gap will have less to do with bringing more people into the workforce, and more to do with software and hardware developers ensuring new technology is inherently better secured by default, and less vulnerable out of the box than current technology. The industry simply can’t rely on a sudden decline in cybercriminal activity, or a huge breakthrough in security technology, but it feels as if we may be at an inflection point where legislative efforts to improve cybersecurity may increasingly likely to have an effect.
Writing this as we enter into a New Year, a big question on many cybersecurity professionals’ minds is what will be the effect of GDPR having come into full force back in May? Independent of the small number of convictions and threatened or expected enforcement actions, although GDPR is ostensibly about the privacy of EU citizens’ data, addressing the systemic factors to make an organisation compliant with GDPR requirements also has more general cybersecurity implications. And those mostly drive improvements in an organisation’s cybersecurity stance. Other influential legal jurisdictions are having an effect too. For example, California has recently enacted a bill that requires “a manufacturer of a connected device, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device”. While the bill is rather vague about what “reasonable” measures are, as is so often commented about California, it would be the world’s fifth largest economy were it to secede from the USA, and hence carries an enormous amount of sway on US, and even international legislation and commercial practice.
Another approach to addressing the skills gap would be to delay rapid device development and deployment, giving cybersecurity training and education a chance to better prepare new entrants to the workforce, and limit the soaring increase in networked devices hackers could seize. However, that is a very unlikely outcome unless highly coordinated, multinational regulations were to be enacted and enforced, and it seems things are not bad enough (yet) for this to happen.
The cybersecurity profession is still young and developing. In a space where professionals still struggle to define standard job descriptions, defining a skills gap is complex and challenging. As security demands change, the future of cybersecurity skills development and talent acquisition is likely to look quite different.