In its latest Cybersecurity Report, Cisco Systems noted that the growing skills shortage represents a key challenge to companies trying to protect their infrastructure and data in a rapidly changing IT landscape. Even as they hire more people--last year the median number of security pros at organizations reached 40, an increase over the 33 in 2016--the issues confronting businesses are multiplying faster.
IT professionals responding to Cisco’s survey listed a range of capabilities they would add if they had the staff, including endpoint forensics, cloud access security broker (CASB), web application firewalls and intrusion prevention. As one CISO told Cisco, “If I could wave a magic wand and get 10 percent more people to take some of the burden off people who really feel the heat because of high demand for their particular service areas, I would be a very, very happy guy.”
The skills gap in the cybersecurity area is not new, but it’s large and getting larger at a time when security challenges facing organizations also are growing rapidly. Numbers vary, but the skills gap will grow to as much as 1.8 million to 3.5 million by 2021, by which year the global cost of cybercrime will triple from 2015 to $6 trillion, according to Cybersecurity Ventures.
Organizations are responding in multiple ways. They’re adding more people to their security rolls, adding automation capabilities and looking to outsource more of the security work. Market Research Engine expects the global market for managed security services will grow 14.5 percent a year between 2016 and 2022, reaching more than $45 billion by 2022. A broad array of tech vendors are offering such services, including IBM, SecureWorks, Verizon, Symantec and AT&T.
At the same time, organizations are investing in efforts to close the skills gap, ranging from bringing more women and other under-represented populations into the field to fueling interest among students not only in colleges but also in high schools and middle schools. They’re also extending training opportunities for those already in the tech space and others who may looking to get in. Automation, orchestration and outsourcing will have their roles in this rapidly evolving IT world--particularly with the rise of artificial intelligence (AI) and subsets like machine learning--but there will still be the need for highly skilled people, Patty Wright, senior director of security consulting at Cisco, told ITPro Today.
“As fast as we’ve seen [automation and AI] come up, the latest malware or bad actors, they change the game,” Wright said. “That’s going to continue for the foreseeable future. Automation can certainly lessen the need for people over time on the lowest level, where it’s picking up patterns and understanding them and possibly managing to corral them and automatically push out fixes. But the way we’ve been seeing things change in the world of cybersecurity, I don’t think anytime soon we’re going to get ahead of how quickly the bad actors can change the game. Regardless, we’re going to see a gap for the foreseeable future.”
The Rising Cybersecurity Challenge
There are myriad security challenges facing organizations today. The rise of cloud computing and the internet of things (IoT) has expanded the attack surface. Data and applications no longer reside only behind the corporate firewall. Budgets are tight, staffs are thin, and more regulations are being put in place, such as the EU’s General Data Protection Regulation (GDPR). In addition, cybercriminals are getting more sophisticated, creating malware with complex techniques designed to get around security solutions and greater automation that accelerates the development of threats and the size and speed of the attacks. Indeed, while businesses are looking to leverage AI and machine learning in their security capabilities, threat actors are using the same technologies in their campaigns.
“The Internet was never created to be that secure,” John Maddison, senior vice president of products and solutions at security vendor Fortinet, told ITPro Today. “That’s one of the problems. You never know who’s on the other end. It’s very flat. I think companies built their architectures with the principle of, ‘I’ll put a wall here and won’t let people in.’”
These challenges exacerbate the IT skills shortage. Tech companies are working to close the gap, but it remains to be seen whether the demand for talent will continue to outrun availability.
Here are the key areas companies are focusing on:
1. Catching talent early
Most of those interviewed talked about the need to talk to students--not only in college, but also in primary schools--about careers in cybersecurity. Children at the elementary school level have a natural interest in how things are built and how they work. As they grow older, they may gravitate to computer science and technology, but the idea of a career in cybersecurity still isn’t reaching many of them. Until the past couple of decades, cybersecurity was the domain of government and the military, Heather Ricciuto, academic outreach leader at IBM Security, told ITPro Today. Now it’s part of everyday life, given the ubiquity of smartphones and other mobile computing devices. The Institute for Security and Open Methodologies offers its Hacker Highschool program to raise security awareness in teens.
Those students who do know about cybersecurity might be turned off because they assume that it’s a hyper-technical field, all coding and penetration testing.
“With this space there are so many paths you can take,” Ricciuto said. “We need people who are ethical, who like problem solving, who love learning, because in order to keep up with the pace of change in cybersecurity, you’ve really got to really love to continuously love to learn new things and build up new skills.”
Things are starting to change. Many universities have started adding cybersecurity modules to their computer science majors, and, during the past two to three years, they’ve started to create cybersecurity majors or associate’s degrees. IBM’s Academic Initiative is a program designed to provide a wide range of resources--from coursework to guest lecturers--to academic institutions in a host of fields, including cybersecurity. The vendor also offers other programs that include such resources, either for free or at a nominal charge.
2. Cast a wider net
IBM’s New Collar Initiative (as opposed to “white collar” or “blue collar”) is aimed at what Ricciuto calls “non-traditional outreach.” Most companies look at college graduates with four-year degrees, which greatly limits the pool of candidates. IBM’s program “focuses on skills and aptitudes and experience vs. degrees alone. What we’ve done is finally recognized that we can no longer afford to continue to focus on simply recruiting people with a minimum of a four-year degree. Many companies like IBM have left a lot of talent on the table because we’ve made that a minimum requirement. Meanwhile, there are people out there with the skills and aptitude that we’re looking for. They’re ethical, analytical problem-solvers, they’re good communicators, but they don’t necessarily have four-year degrees.”
Those include such people as community college students and military veterans, who may have traveled paths in life that haven’t included a traditional secondary education by may have developed life experiences that make them good candidates, she said.
Fortinet offers a similar program through its ForiVet program, which provides networking, cybersecurity training, mentoring and resume services.
3. More training in the field
Fortinet also has its Network Security Expert (NSE) initiative, an eight-level certification program aimed a IT pros who want to validate their network security skills and experience. It’s open to the vendor’s customers, partners and employees, as well as college students who are enrolled in the company’s Fortinet Network Security Academy (though the first level of the NSE program is open and free to the public). According to Maddison, there are more than 200,000 people in the three-year-old program with an updated version coming next year.
The program includes an online portal through which participants can access training materials and earn certifications. It also includes fast-track modules, which are bite-sized pieces of training that run for about two hours and focus on specific items. The modules are ways to enable Fortinet to present up-to-date training in a field that changes quickly.
“If you go back even five years, [you could] put a course together that would last maybe two or three years. But these days, it changes so rapidly because of the infrastructure and security that you have to have different levels and size modules to make sure you’re keeping everyone up to speed,” Maddison said.
The company’s academic initiative provides assets and materials to more than 100 academic institutions that can be used in their curriculum.
4. Aim for diversity
In a world where women make up almost half of the workforce, only 11 percent of those working the cybersecurity field are female, according to Michelle Guel, distinguished engineer and IoT security strategist and co-founder of the Cisco Women in Cybersecurity networking community. That’s a lot of talent that’s being left on the table, Guel told ITPro Today.
There is a large focus throughout the IT community to diversify the workplace by hiring more women and members of other under-represented groups. That includes cybersecurity. Six years ago, the Women in Cybersecurity group was formed through Tennessee Tech University with a grant from the National Science Foundation and holds an annual conference that attracts about 1,000 attendees. There also is the Executive Women’s Forum for women in the fields of information security, risk management and privacy.
Cisco, IBM and Kaspersky Lab are among a growing number of tech vendors making efforts to bring more women into the field. Through various programs, Cisco is looking to attract women at the beginning of their careers or even in mid-career, Wright said. The company also has an internship program that gives women experience in a broad range of segments--such as security implementation, incident response and ethical hacking--and enables them to participate in conferences like Black Hat and DefCon.
In addition, Cisco’s Networking Academy over the past couple of years has added cybersecurity tracks. And Kaspersky Lab last September hosted its CyberStarts conference in Boston aimed at women interested in the field.
Vendors also are looking into the middle and high school levels and even younger. The Girl Scouts earlier this year introduced a cybersecurity merit badge, and IBM has its Security Cyber Day for Girls program, aimed at middle school students.
Cisco’s Wright said that girls at a young age are as interested as boys in technology and similar subjects. However, as time goes on, many young women turn to other professions. If they stay with cybersecurity, often they move away from technical positions to become managers or focus on such areas as governance and compliance. Both Wright and Guel said it was important to bring more women into the technical side of cybersecurity.
IBM’s Ricciuto said it’s early in the process of attracting more women to cybersecurity as a profession, but she’s encouraged by what’s she seen, including the fact that many vendors in the space are making similar strides. Collaboration among companies, industry groups, academia, non-profits and government will be important in helping to close the skills gap.
“I’m not seeing percentages change yet, but what I am seeing attending various conferences--whether it's an IBM keynote or from other company, or in breakout sessions--is that we’re all singing from same hymnal,” she said. “We all recognize importance of collaborating. While we all compete to fill open positions, we all recognize the need to fill under-represented constituencies--whether that’s women or others. We’re all focusing on that.”