In 2015, business consulting firm Frost & Sullivan forecast a worker shortage of 1.5 million workers in the cybersecurity industry. The estimate, which was astounding then, has recently been upped to 1.8 million by 2022 and comes as no surprise for many—cyber threats continue to increase, requiring hackers with less technical know-how than ever before.
The 2017 Global Information Security Workforce Study, a product of The Center for Cyber Safety and Education and (ISC)2, Booz Allen Hamilton, Alta Associates, and Frost & Sullivan includes survey responses from over 19,000 respondents across 170 countries and examines the state of response to developing risks.
The Times of India reports that HR experts say their companies are ready to hire talent that may prevent data breaches or other missteps that may ruin a brand. This is especially true in healthcare, where patient data is especially private and often digitized.
An Evolving Need
According to the study, data exposure tops the list of potential threats amongst IT security professionals in North America and the Asia-Pacific region. In the Middle East-Africa region, hacking is leading the charge, and in Latin America and Europe, respondents were worried about ransomware.
These worries are well founded—Cyber Security Ventures predicts that cybercrime costs will go from $3 trillion in 2015 to $6 trillion by 2021, in part because cybercrime is evolving. What once involved targeting and causing destruction to computers, networks, and mobile devices has evolved to include the huge variety of devices that includes the internet of things. Plans, power grids, even your toaster can be victimized by cybercrime.
President Barack Obama toured the National Cybersecurity and Communications Integration Center in 2015. Image courtesy of Pete Souza via the White House Archive [CC BY 3.0]
So Why the Shortage?
Potential information security employees stand to face rising salaries, increased budgets, a high level of job satisfaction, and few changes in employment status.There’s obviously a growing demand for skilled individuals in the field of cybersecurity, but, even now, a lack of applicants to fill these positions. Shuchi Nagpal, chief education officer at Asian School of Cyber Laws, believes that, despite the existence of colleges teaching cybersecurity as a full-time courseload, their focus is on teaching technology rather than techniques that contribute to cybersecurity and investigation. “Technology evolves; the basic techniques don’t,” he says.
(ISC)2’s David Shearer, who serves as CEO, disagrees. “We could be focused on the wrong problem in thinking the dearth of talent within the industry is directly linked to the lack of technical colleges and universities producing STEM graduates. It may very well be that we’re not doing a good enough job of making the case to students that cybersecurity can be a rewarding career path from monetary, job stability, and a sense of contribution perspectives,” he said.
At its most basic level, the problem is simply a lack of entrants.
Cybersecurity Now--The Role of Design Engineers
Threats to cybersecurity are large, and available resources limited. Scott Borg, who directs the U.S. Cyber Consequences Unit, believes that the future is in the hands of hardware engineers. In May, Borgs spoke as part of the MEMS and Sensors Technical Congress at Stanford University and warned that “the people in this room are now moving into the crosshairs of cyberhackers in a way that has never happened before.” He pointed out the increasing focus on hardware, especially equipment in industry.
Borg frequently speaks about the need for hardware engineers to design from the standpoint of the the cyber criminal, identifying loopholes and increasing a potential cost to a hacker on a mission. He also encourages engineers to be forward thinking in their designs to anticipate potential problems and think about where exactly value is created.
An Unsolvable Problem?
(ISC)2 recommends a concerted effort to increase the rate of new entrants, design engineers included, into the information security workforce, but it is perhaps easier said than done. Ultimately, they suggest expanding the way in which we think about these positions, offering more pathways, including internships and apprenticeships. They also place value on increasing the amount of information security curriculum, tapping into other sources of talent (like community colleges), and using existing tools and processes to optimize existing talent.
There’s also artificial intelligence, long villainized as a threat to workers in roles ranging from fast food worker to management. Programs like the Department of Defense’s Project Maven, hopes to use algorithms and AI to triple the productivity of their analysts in processing surveillance video. But, experts say, in this case, there’s very little substitute for real human skill.
Dan Lohrmann, the Chief Strategist and Chief Security Officer at Security Mentor, Inc. believes that AI is not capable of filling the worker/skills gap, but that in the medium and long term, it can certainly help.
While artificial intelligence has an important role in supplementing worker gaps, it is no substitute for qualified workers.