By Ericka Chickowski
As 2015 remains on track to break all the blockbuster breach statistic records yet again, it's no surprise that the industry continues to scramble to answer why the problem keeps getting worse. One of the common reasons screamed from headlines and industry reports over the past months is that the cybersecurity industry suffers from a skills gap. We don't have enough people to fill security roles at companies today and that's why organizations can't keep up.
But is that narrative really true? Is there actually a 'brain drain' or talent shortage in cybersecurity, or are there more fundamental problems in the industry? I posed these questions to a number of friends in the industry and the perspectives ran the gamut, but there were plenty of pundits and practitioners out there to question the party line that there aren't enough cybersecurity professionals out there to get the job done.
Before we get to that, though, let's look at some of the evidence from the 'pro' camp on this issue:
- One of the most recent reports, this one from Cisco, states that the demand for cybersecurity professionals is 12 times greater than other IT jobs. Cisco says that last year the industry was 'short' more than one million security pros around the world.
- This backs up the yearly prognosis by industry group and CISSP certification authority (ISC)2, which this year with Frost & Sullivan pronounced that by 2019 there'd be a supply-side workforce shortfall of 1.9 million professionals.
- Industry group ISACA says 86 percent of respondents see a global cybersecurity skills gap and 92 percent of those planning to hire cybersecurity pros say they expect to have difficulties recruiting
These statistics and claims sound substantial and scary at first blush. But I'd argue—with the backing of many people smarter than me—that they're actually pretty specious.
One of the big issues I have with these kinds of 'workforce shortage' claims and projections is their fundamental lack of awareness of how economics and labor pool elasticity works. Many of these projections and statistics are based on the presumption that salaries, perks and current structures of security roles remain static.
Part of the issue here is not that there aren't enough smart people to fill these roles. It's that many of these roles are crappy in the first place.
"I think a lot of it is smoke and mirrors," says Ben Tomhave, a current security architect and former Gartner research director who just spent months looking for a good job in the Washington D.C. area. "(There are) tons of the junk jobs here in DC are drones at keyboards staring at screens or some form of bureaucratic nonsense adding no value."
He says there are a lot of great parallels of this current foment about security shortages to the claimed sys admin and general IT worker shortages of the 1990s and 2000s. That's a claim that I've written about quite a bit in the past, including this piece in 2008, which has heavy hitters from Duke University, Rochester Institute of Technology and the Alfred P. Sloan Foundation debunking it as myth. More recently, this technology and science shortages was dismantled in an excellent piece done by the Atlantic last year.
Security analyst Richard Stiennon, chief research analyst for IT-Harvest, agrees this current shortage claim is also hokum.
"While it is definitely a seller's market and salaries are on the rise there is an adequate supply of people with the skills that could move into IT security if the opportunity was better than for other roles," he says.
That's the long and short of it—the ugly truth staring at those brave enough to look in the mirror. The shortage is not in the labor pool but in the willingness of organizations to invest in creating attractive security roles. Those that do are much more successful at recruiting the kind of unconventional problem solvers, builders and breakers who become good cybersecurity professionals. Those that don't blame a nebulous market condition that's totally out of their hands.
Creating an attractive role means not only budgeting for the type of salary that this quality of professional demands, but also building the culture that doesn't chase them away even when they're paid well.
"To be successful in infosec you need to care. To care you must feel that you are contributing," says Nick Selby, a former analyst with the 451 Group and long-time information and physical security professional. "Infosec is consistently an afterthought in corporate budgets, and compliance will win a budget fight over infosec every day. So infosec ends up with all the responsibility and none of the authority, and that makes smart people mad, and they move on to areas of innovation, or, you know, marketing."