We’ve been hearing about the cybersecurity skills shortage for a long time. As an InformationWeek article reported last year:
It's a problem spanning businesses and industries around the world. The global cyber-security workforce will have 1 to 2 million jobs unfilled by 2019. In the US alone, about 209,000 cybersecurity jobs were unfilled in 2015.
Cybersecurity Ventures founder Steve Morgan thinks that number is low, according to a CRN article. Morgan puts the security skills gap number at 3.5 million by 2021.
Whatever the actual number is, we know that there is a severe talent shortage at a time when having cybersecurity professionals on staff is more critical than ever. Outsourcing security to a managed service provider offers a lot of help, but I’d be willing to bet most companies would like someone with a security background onsite to manage things on the front end.
While we talk about that skills gap all the time, do we really know why it’s happening? In the past, cybersecurity classes weren’t common – that has definitely changed – and organizations were reluctant to budget for security training. However, a new study from Tripwire may have pinpointed a reason: The vast majority of current security professionals said the skills needed for the job have changed.
Does that mean the training students and potential security professionals receives is obsolete from the get-go? It’s possible, and not surprising. Look at how quickly the threat landscape has shifted over the past couple of years. Cybercriminals are growing in sophistication, but the skill levels of security pros aren’t keeping up. In fact, the Tripwire study found 72 percent believe it is more difficult to hire skilled security staff to defend against today’s complex cyberattacks compared to two years ago. Significantly, 81 percent believe that the skills required to be a great security professional have changed in the past few years. This is why more than 90 percent said they are supplementing in-house security with outsourced services and 98 percent expect other functions like non-security teams to be more involved in cybersecurity moving forward.
In response to the study, Tim Erlin, vice president of product management and strategy at Tripwire, suggested that security professionals are also spread too thin, stating that security practitioners may now be expected to spend more time in boardrooms or fighting to secure more budget. In a statement, he added:
The skills gap doesn’t have to be an operational gap. Security teams shouldn’t overburden themselves by trying to do everything on their own. Organizations should also understand that security is a shared responsibility across different functions, so people from other parts of the business should be involved in the cybersecurity program.
I agree with the idea that security has to be a shared endeavor, especially in light of a serious skills shortage. At the same time, we can never think that training, even for professionals, is done. Skills, like threats, have to constantly evolve.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba