If you follow my blog at all you know that I am quite passionate about the cybersecurity skills shortage and its ramifications. Just to put this issue in perspective, ESG research indicates that 46% of organizations claim they have a “problematic shortage” of cybersecurity skills in 2016 as compared to 28% in 2015.
Yup, the ESG research seems to indicate that things are getting worse on an annual basis, and ESG isn’t alone in this belief. For example:
- According to Peninsula Press (a project of the Stanford University Journalism Program), more than 209,000 US-based cybersecurity jobs remained unfilled and postings are up 74% over the past 5 years.
- Analysis of the US Bureau of Labor Statistics indicates that the demand for cybersecurity professionals is expected to grow 53% by 2018.
Adding to this trend, Computerworld research indicates that more than half of security managers expect their organizations to increase cybersecurity headcount this year adding more pressure to the pot.
It’s clear that we face a classic economic conundrum where demand far exceeds supply. Consequently, the skills shortage has led to an inevitable consequence — rapid salary inflation for cybersecurity professionals. A recent article in CSO online (author’s note: well worth reading) illustrates this trend, claiming that information security managers’ compensation went up 6.4% from 2015 to 2016 — more than any other IT job.
Organizations are also actively boosting infosec salaries to retain the current staff. In fact, just over three-quarters of security professionals surveyed by Computerworld said that their base salary increased over the past year.
In spite of these increases, however, 68% of infosec professionals say that “higher compensation” is still the top reason for changing jobs. Salary inflation is even more pronounced when it comes to CISOs. One CISO I spoke with recently claimed that compensation for his skill set seems to be increasing at about 40% per year.
In my humble opinion, this is an untenable situation that continues to degrade. If lots of the best cybersecurity professionals go to work on Wall Street or in Silicon Valley, overall systemic risk will skyrocket, well beyond an acceptable level.
There is no quick fix to this problem, but I do have a few suggestions:
- Large organizations should get much more involved with local universities and cybersecurity professional organizations. The goal? Cooperative investment, training, mentoring programs, internships, etc. Think of it as a community investment.
- CISOs should build their own training programs to recruit, grow, and train junior cybersecurity employees and even non-IT professionals. Smart CISOs will actually do this in cooperation with other local organizations in the same boat.
- Washington has offered a lot of talk and little action on this national security issue. Yes, programs like NICE, the National Cybersecurity Workforce Framework, CyberCorps, NSF grants, and NSA Information Assurance scholarships are helpful, but we need a coordinated national strategy here. This should be a high priority for the 45th president, whomever that is.
- Security leaders like Cisco, Fortinet, HP, IBM, Intel Security, and Symantec should be commended for their individual programs for cybersecurity education and training. Nevertheless, I’d like to see these leaders work collectively as an industry, pool some resources, and try and make a bigger dent in this problem.
We’ve misclassified the cybersecurity skills shortage as an industry problem when it’s actually a national security issue. We need to address this with a strategic plan that cuts across academia, governments, the industry, and cybersecurity professional organizations. Throwing more compensation at cybersecurity professionals is simply counterproductive and unsustainable.