The ongoing shortage of qualified cybersecurity IT professionals is creating a set of problems that goes well beyond the immediate security of data and systems, according to everyone from the U.S. government to corporations like IBM. It is also inhibiting the effective adoption of key technologies in the enterprise and the public sector, including mobile, cloud and social applications, among others. And that will, in turn, inhibit enterprise growth and economic expansion.
But if the U.S. Bureau of Labor Statistics is predicting 22 percent growth in employment in cybersecurity by 2020, and we’re already dealing with that chronic shortage of qualified individuals, where will the properly trained IT folks needed come from?
Aggressive growth in training will, of course, be critical to the catch-up effort. This week, IBM’s Cyber Security Innovation Program, part of the IBM Academic Initiative, announced that it is ramping up a number of new university partnerships around the world. The program provides corporate expertise on projects from updating Association for Computing Machinery (ACM) cybersecurity standards with the Georgia Institute of Technology to contributing materials to be used in a new Universidad Cenfotec Master’s degree in cybersecurity, in Costa Rica.
Are increases in training programs and degrees too little, too late, in cybersecurity, though? Could be. Reading through what are basically the notes that ZDNet’s Tom Foremski took during a dinner discussion with a number of security vendor execs and an industry analyst gave me chills. Enterprise Strategy Group analyst Jon Oltsik told that group that the shortage of people with strong cybersecurity skills is not being talked about enough. Meanwhile, the enterprise is already facing increasingly complex threats to increasingly complex systems, and pressure to understand and mitigate the tactical and legal risks, all within financial constraints. It’s overwhelming to IT execs and it’s worsening daily.
Though many companies would like to rely more on security providers that can specialize, the question rises again – where will they find the necessary talent to keep up? It’s a pretty perfect repeating loop of rising demand and falling supply and, as Foremski concludes, it makes security “a very good business to be in.”
Today, as is the case most days, the results of at least one survey showing weakness in cybersecurity were released. The Ponemon Institute’s “The Risk of an Uncertain Security Strategy” study found that, among its 2,000 respondents responsible for security in organizations from around the world, the lack of a strong security posture is directly related to the lack of sufficient security expertise. Only 26 percent said they had the necessary expertise. Even more troubling, the highest-level executives had the least certainty about what was going on with security in their organizations. Ponemon concludes that this “indicates why IT and IT security practitioners say their management is not making cybersecurity a priority. Based on this finding, the higher the position the more removed the individual could be in understanding the organization’s risk and strategy.”
The U.S. organizations in the study, by the way, had the highest levels of uncertainty, compared to other countries.
While no U.S. company is going to look to emulate the U.S. government on technology implementations any time soon, we may see more of them taking a cue from departments like the National Institute of Standards and Technology (NIST), and including an assessment of the consequences of the cybersecurity professional shortage in planning documents. NIST did so in its October draft of its cybersecurity framework, going beyond the basic shortage into the details of department- and project-specific skill needs. As an area for improvement, it needs to be on every organization’s list.