InfoSec Global Staff Shortage: Not Easing Up Soon
There is a mass shortage of InfoSec personnel. The shortage has been well published through many different outlets, academic articles, magazines, and blogs alike. There was a study conducted by Intel Security with the Center for Strategic and International Studies (CSIS). There were 775 IT decision makers in eight countries in the public and private entities.82% of the respondents noted a shortage of cybersecurity skills. Symantec in a recent study estimated the number of open positions to be 500K to 1M, increasing to 1.5M by 2020. The global shortage is expected to increase to 1.8M by 2022. InfoSec job postings have also increased by 74%.
Banks have also experienced difficulties in this area in finding cybersecurity personnel to hire. With the finance industry, there may be more of a focus on complying with lending and credit guidelines, in comparison to auditing the cybersecurity processes.
The demand for the people is outstripping the supply. One factor driving the need is the number of black hat attackers. This number while vague continues to grow. The attackers have operationalized the methods to the point where this is a business, following a business model. As the amount of data continues to grow, this gives the attacker yet more targets to focus their attention on. The network and connected devices in place presently produce 277x greater amount of data than people do. The data increasing, along with more devices and IoT, provides an abundance of crown jewels or places to attack. It is simply just difficult for the staff in place to complete the necessary work to ensure the network, data, enterprise, and embedded systems are safe. This is a bit of circular reasoning. There is a massive amount of data, devices, and networks to protect, which continue to increase. This gives the attackers more targets. The already stretch InfoSec teams are not able to adequately review the InfoSec, which gives the attackers more of an opportunity to successfully attack targets.
Diversity appears to be an issue in this industry (Perez, 2016). Diversity is important in that a diverse group brings new ideas, work ethics, processes, experiences, which all lead to better ideas and implementations to better secure the enterprise and specific embedded devices. In 2015, women held 25% of computing roles. In the InfoSec workforce, women only comprise 11%. This ratio is lacking and indicative of the issues that continue.
Methods to Remediate the Issue
The problem is well-known and increasing at an alarming rate, unfortunately for the industry. To again repeat the issue and its underlying driving points would be a disservice for the industry and non-productive. There are many actions to take in order to begin to alleviate the issue. These steps are not a panacea, however, the endeavor will take time and effort.
One action item to implement is to begin cybersecurity education and training earlier. This may begin even in junior high school, if not earlier for the students. The introduction and subsequent materials would need to be age and maturity specific, however the earlier the better. The students are exposed to electronics and learn from these devices in the elementary school systems. This exposure to InfoSec and computer systems may be enough at this age to spark the interest and a life-long career. This allows for a greater level of accessibility in the school systems.
The colleges, universities, and corporations should be present and active at recruiting events. Recruiting events are differentiated from career fairs in that the recruiting events are held in conjunction with other like events. For instance, the organization could use a cybersecurity event as a recruiting grounds with the organization's table. The table would be set up with SWAG to hand out. This gives the business representative the opportunity to meet people and nonchalantly speak with them regarding their background to understand if it may be a good fit and to gauge the person's interest. This allows the entity to look at the person's skills, and not just if they have a degree. These recruiting events, updated for the new workforce, certainly have the potential to assist with the shortages.
The entities experiencing the labor issues in this IT and InfoSec areas may also conduct specialized events to draw the attention and attendance. Overall, these entities may provide the facilities, and operate practice sessions and camps. These may encompass various topics. Banks have been a bit creative and have held coding events.
The workforce in the present cycle looks at different attributes for the workplace. This is a natural progression as the demographics have changed. To reach this stratum of potential, qualified employees, the entities should openly publicize these facets. The new workforce coming up into the ranks is seeking flexible hours. This, when implemented, allow the staff to accomplish other tasks and interact with others.
Within the subject field, which is presently understaffed, the level of females in the field are drastically low. Although the ratio is terrible, with this subfield there are also targeted actions to take. To assist with this, more females should attend hack-a-thons. With these, the attendees would be able to mentor and teach each other along with being able to assess the knowledge base and skill level.
There are InfoSec conventions throughout the year, through the US and remainder across the globe. Of these, there is a subset directly related to increasing the number of women in InfoSec. One of these in prior years was TiaraCon, which was focused on increasing the number of females in cybersecurity. Related to this are the camps. Females should attend these to learn from others, as they are mentored if needed. BYU has hosted these in the past.
Looking Forward
The lack of qualified personnel leading to the present and future increasing shortage of persons, there are a number of action items to work on to assist with the issue. The organizations have to be creative in their efforts. The upcoming workforce needs to be attracted to the position, not just a job.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.