“To some extent, this data supports the theory that the cybersecurity skills shortage is related to mismanagement rather than a dearth of qualified candidates or advanced skills.”
There is no substantive difference between this year’s Life and Times of Cybersecurity Professionals (produced by ESG and ISSA) and the previous four annual studies – they are all depressing. But that speaks volumes. It is time to take note of what the study tells us, to learn the lessons, to change the background, and improve the future.
”When I look at this year’s study (PDF),” ISSA’s international president, Candy Alexander, told SecurityWeek, “I think, Are you kidding me? We’ve been doing the same study with the same results for five years. It is truly the definition of insanity to do the same thing and expect different results – but the industry continues to do the same thing and of course nothing changes.”
This year, ISSA polled 489 cybersecurity professionals from around the world. It found that the skills gap continues to worsen; that cybersecurity professionals continue to feel they are under compensated; they do not get enough training; are under-resourced; and they don’t feel supported.
The skills gap
The skills gap is partly a self-inflicted wound on the industry by the industry. The industry demands that new recruits have both academic qualifications and practical experience – two qualities that are largely mutually exclusive. When it cannot find new recruits meeting this demand, the industry simply calls the result a skills gap.
There are other problems. “We tend to simplify things,” said Alexander; “so we say, well education is one of those factors contributing to the skills gap. It is, but it is not the sole cause.” What concerns her about education is its inability to keep up with the speed with which new technology is developed and used.
“It takes time to develop new curricula,” she continued “You need to develop the courseware, you need to vet the courseware, you need to pilot the courseware and then you can release the courseware. So, you’re looking at a lifecycle of about 12 to 18 months.” In the real world, technology today is different to 12 months ago. “So,” she continued, “we need to figure out with the really smart people in academia how to expedite that learning curve in teaching to stay closer to technology. That is one of the factors in the skills gap – when people come out of school, they’re already 2 years behind.”
The report never once mentions that increasing the recruitment of women into cyber might help the problem – in fact, it never mentions women at all. “That’s because the skills gap is not a women problem or a man problem: it’s a people problem,” said Alexander. If anything, it is a societal problem, which is a recurring theme in Alexander’s view of cybersecurity staffing issues.
“If we didn’t differentiate between girls and boys in education,” she continued, “we wouldn’t have to differentiate outside of education. We’d still have the problem, but it wouldn’t be male or female – it would simply be a people problem. Saying that it is a woman problem simply perpetuates the existence of a woman problem.”
This attitude spills over into Alexander’s view of ‘diversity’ within security teams. Diversity is important, and many leaders are happy to claim their own security team comprises a mix of ethnicity and nationality, gender, straight/LGBT people, and black and white hackers.
Alexander believes we should ‘value the differences’; “But we seem to have lost touch with that. Instead, we now emphasize the differences, as if that is valuable. When I think about diversity in teams, I look more at personality and intellect and aptitude; not backgrounds, not cultural and not gender. To me diversity should include an introvert, an extrovert, a communicator, an intellectual – that to me is diversity and that’s what makes a great team.”
Recruitment is still an issue and part of the skills gap problem – and another societal problem. The main problem is that society has shifted to an instant gratification expectation. The industry expects book-learned youngsters to move straight into the industry and become skilled practitioners; while graduates expect to leave school and walk into $150,000 jobs. Neither is realistic.
The job problem
The skills gap hasn’t improved because the underlying employment issues haven’t changed: cybersecurity professionals continue to feel undervalued, and getting started remains a problem. Financial compensation is one of the areas – but is complex. The cybersecurity industry is generally considered to be well recompensed, but this only applies to mid-level and high-level positions. Thirty-eight percent of the respondents do not believe that the industry offers a sufficiently competitive remuneration package to attract new employees – which in turn exacerbates the skills gap.
Remuneration is also important to staff retention. Thirty-three percent of respondents believe the offer of a higher compensation package is the primary cause for CISOs to change companies. This is part of a wider issue within the industry that applies to all experienced and qualified staff. Some industries and some companies can afford to pay more than others. It is always easier for these companies to poach experienced staff than to find and train new staff. This internal industry churn has a knock-on effect on the skills gap, leaving the smaller companies with the burden of bringing new staff into the industry without necessarily being able to offer a sufficiently attractive pay package.
Staff poaching is not apocryphal. Twenty-three percent of the respondents are solicited several times per week; 13% about once per week, and another 22% a few times per month. More than half of the existing cybersecurity workforce is asked to consider moving to a different company several times every month. If this energy and money were focused more on bringing new people into the industry, it could influence the overall skills shortage.
The top four recommendations on actions to address the skills shortage are a greater commitment to cybersecurity training (39%); an improved compensation package (37%); improved benefits such as paying for certifications and participating in industry events (35%); and the creation and improvement of a cybersecurity internship program (33%).
Alexander sees a linkage between training and internship, and believes that societal issues prevent us from tackling the problem head-on. “There’s a huge gap and divide between those that are academics and those that are practitioners coming out of schools,” she told SecurityWeek. “We should be able to mix knowledge and skill – and maybe we should consider a return to old-school apprenticeships.”
The terms apprenticeship and internship are often used interchangeably, but are really very different. The former is found more often in trades, while the latter (which is little more than a holiday job) is found in professions.
“Maybe the whole thing goes back to tradesmen, where apprentices learned a trade,” said Alexander. “Is cybersecurity a profession or is it really a trade? In my opinion, the reality is it is becoming more like a trade. In trade, you find more apprentices. You could not become a goldsmith until you did x number of years as an apprentice. Maybe that’s one of the things we should look at as well. Isn’t it a shame that our instant gratification society and culture is, ‘I’m going to graduate university and I’m going to make $150,000 pa’ – that’s the expectation of our graduates today. There’s more emphasis on the instant gratification component as opposed to learning the basis of a life-long skill and trade.”
The idea that the employer should pay for certifications is interesting. It implies that applicants should not require certifications to get employment, but should be assisted in gaining certifications while employed. But it is a complex conundrum. Fifty-one percent of the respondents said that having the CISSP certification was valuable in getting a job in cybersecurity. “Cybersecurity professionals pursue a CISSP certification after accruing the requisite number of years of experience as this certification is a requirement for most available jobs,” says the report. You cannot get CISSP unless you already have a security position – so once again, this aids industry churn while having a negative effect on reducing the skills gap.
Alexander believes that the cybersecurity skills gap continues to exist and continues to grow because industry continues to mismanage what we already know. The basic problem is that business still sees security as a cost center. “It’s something you have to do, like paying an electricity bill,” says Alexander. Like the electricity bill, the incentive is to reduce the amount of electricity you consume to reduce the electricity bill, rather than increase the budget to afford better electrical devices.
The fault lies with both the security teams and the business leaders. The former are not explaining how their services support, protect and improve business profits, while the latter sees security as little more than a necessary and unwelcome requirement to meet legislative compliance.
“You gotta make sure that you’re meeting compliance, that you’re protecting your data and that you’re keeping the bad guys out as cheaply as possible,” she said. “That’s the end of the business statement. But if we as professionals were able to change the conversation from defending the industry with technology that business doesn’t understand into positively supporting business objectives, security becomes less of a cost center and more of a profit support center.”
Only with that fundamental change of mindset will businesses begin to better support the cybersecurity profession (or trade), and begin to fund the changes that will reduce the skills gap.