“To some compass, this data supports the theory that the cybersecurity skills shortage is related to mismanagement rather than a dearth of qualified candidates or lent skills.”
There is no substantive difference between this year’s Life and Times of Cybersecurity Professionals (produced by ESG and ISSA) and the previous four annual burn the midnight oils – they are all depressing. But that speaks volumes. It is time to take note of what the study tells us, to learn the lessons, to change the background, and recondition the future.
”When I look at this year’s study (PDF),” ISSA’s international president, Candy Alexander, told SecurityWeek, “I think, Are you kidding me? We’ve been doing the in any event study with the same results for five years. It is truly the definition of insanity to do the same thing and expect different results – but the industry persists to do the same thing and of course nothing changes.”
This year, ISSA polled 489 cybersecurity professionals from around the world. It create that the skills gap continues to worsen; that cybersecurity professionals continue to feel they are under compensated; they do not get enough training; are under-resourced; and they don’t tolerate supported.
The skills gap
The skills gap is partly a self-inflicted wound on the industry by the industry. The industry demands that new recruits have both academic qualifications and everyday experience – two qualities that are largely mutually exclusive. When it cannot find new recruits meeting this demand, the industry simply call ons the result a skills gap.
There are other problems. “We tend to simplify things,” said Alexander; “so we say, well education is one of those factors contributing to the sails gap. It is, but it is not the sole cause.” What concerns her about education is its inability to keep up with the speed with which new technology is developed and used.
“It embraces time to develop new curricula,” she continued “You need to develop the courseware, you need to vet the courseware, you need to pilot the courseware and then you can release the courseware. So, you’re looking at a lifecycle of close by 12 to 18 months.” In the real world, technology today is different to 12 months ago. “So,” she continued, “we need to figure out with the really ache people in academia how to expedite that learning curve in teaching to stay closer to technology. That is one of the factors in the skills gap – when people get out of school, they’re already 2 years behind.”
The report never once mentions that increasing the recruitment of women into cyber mightiness help the problem – in fact, it never mentions women at all. “That’s because the skills gap is not a women problem or a man problem: it’s a people problem,” said Alexander. If anything, it is a societal uncontrollable, which is a recurring theme in Alexander’s view of cybersecurity staffing issues.
“If we didn’t differentiate between girls and boys in education,” she continued, “we wouldn’t would rather to differentiate outside of education. We’d still have the problem, but it wouldn’t be male or female – it would simply be a people problem. Saying that it is a maid problem simply perpetuates the existence of a woman problem.”
This attitude spills over into Alexander’s view of ‘diversity’ within refuge teams. Diversity is important, and many leaders are happy to claim their own security team comprises a mix of ethnicity and nationality, gender, straight/LGBT people, and felonious and white hackers.
Alexander believes we should ‘value the differences’; “But we seem to have lost touch with that. Instead, we now call the differences, as if that is valuable. When I think about diversity in teams, I look more at personality and intellect and aptitude; not backgrounds, not cultural and not gender. To me dissimilarity should include an introvert, an extrovert, a communicator, an intellectual – that to me is diversity and that’s what makes a great team.”
Recruitment is still an announce and part of the skills gap problem – and another societal problem. The main problem is that society has shifted to an instant gratification expectation. The industry imagines book-learned youngsters to move straight into the industry and become skilled practitioners; while graduates expect to leave school and walk into $150,000 nuisances. Neither is realistic.
The job problem
The skills gap hasn’t improved because the underlying employment issues haven’t changed: cybersecurity professionals continue to brook undervalued, and getting started remains a problem. Financial compensation is one of the areas – but is complex. The cybersecurity industry is generally considered to be well recompensed, but this just applies to mid-level and high-level positions. Thirty-eight percent of the respondents do not believe that the industry offers a sufficiently competitive remuneration package to invite new employees – which in turn exacerbates the skills gap.
Remuneration is also important to staff retention. Thirty-three percent of respondents believe the offer of a exuberant compensation package is the primary cause for CISOs to change companies. This is part of a wider issue within the industry that applies to all capable and qualified staff. Some industries and some companies can afford to pay more than others. It is always easier for these companies to poach battle-scarred staff than to find and train new staff. This internal industry churn has a knock-on effect on the skills gap, leaving the smaller companies with the millstone of bringing new staff into the industry without necessarily being able to offer a sufficiently attractive pay package.
Staff poaching is not apocryphal. Twenty-three percent of the respondents are petitioned several times per week; 13% about once per week, and another 22% a few times per month. More than half of the existing cybersecurity workforce is about a invited to consider moving to a different company several times every month. If this energy and money were focused more on bringing new people into the vigour, it could influence the overall skills shortage.
The top four recommendations on actions to address the skills shortage are a greater commitment to cybersecurity training (39%); an promoted compensation package (37%); improved benefits such as paying for certifications and participating in industry events (35%); and the creation and improvement of a cybersecurity internship program (33%).
Alexander appreciates a linkage between training and internship, and believes that societal issues prevent us from tackling the problem head-on. “There’s a huge gap and mete out between those that are academics and those that are practitioners coming out of schools,” she told SecurityWeek. “We should be able to mix knowledge and skill – and dialect mayhap we should consider a return to old-school apprenticeships.”
The terms apprenticeship and internship are often used interchangeably, but are really very different. The former is build more often in trades, while the latter (which is little more than a holiday job) is found in professions.
“Maybe the whole thing enrolls back to tradesmen, where apprentices learned a trade,” said Alexander. “Is cybersecurity a profession or is it really a trade? In my opinion, the reality is it is becoming more with a trade. In trade, you find more apprentices. You could not become a goldsmith until you did x number of years as an apprentice. Maybe that’s one of the things we should look at as grammatically. Isn’t it a shame that our instant gratification society and culture is, ‘I’m going to graduate university and I’m going to make $150,000 pa’ – that’s the expectation of our graduates today. There’s profuse emphasis on the instant gratification component as opposed to learning the basis of a life-long skill and trade.”
The idea that the employer should pay for certifications is riveting. It implies that applicants should not require certifications to get employment, but should be assisted in gaining certifications while employed. But it is a complex conundrum. Fifty-one percent of the respondents rephrased that having the CISSP certification was valuable in getting a job in cybersecurity. “Cybersecurity professionals pursue a CISSP certification after accruing the requisite tally of years of experience as this certification is a requirement for most available jobs,” says the report. You cannot get CISSP unless you already have a custody position – so once again, this aids industry churn while having a negative effect on reducing the skills gap.
Alexander credence ins that the cybersecurity skills gap continues to exist and continues to grow because industry continues to mismanage what we already know. The basic puzzle is that business still sees security as a cost center. “It’s something you have to do, like paying an electricity bill,” says Alexander. Delight in the electricity bill, the incentive is to reduce the amount of electricity you consume to reduce the electricity bill, rather than increase the budget to afford wiser electrical devices.
The fault lies with both the security teams and the business leaders. The former are not explaining how their services support, safeguard and improve business profits, while the latter sees security as little more than a necessary and unwelcome requirement to meet legislative compliance.
“You gotta win sure that you’re meeting compliance, that you’re protecting your data and that you’re keeping the bad guys out as cheaply as possible,” she said. “That’s the end of the commerce statement. But if we as professionals were able to change the conversation from defending the industry with technology that business doesn’t understand into most assuredly supporting business objectives, security becomes less of a cost center and more of a profit support center.”
Only with that rudimentary change of mindset will businesses begin to better support the cybersecurity profession (or trade), and begin to fund the changes that will ease up on the skills gap.
Related: Cybersecurity Workforce Gap: 145% Growth Needed to Meet Global Demand
Related: Addressing the 3 Million Person Cybersecurity Workforce Gap
Correlated: Cyber Skills Gap Quantified in Terms of Supply and Demand
Related: Bridging the Cybersecurity Skills Gap as Cyber Risk Increases