In recent years, there has been an exponential increase in high-profile data breaches. As data breaches at corporations, educational institutions, and government agencies continue to grow, so does the need for InfoSec professionals. Furthermore, hackers keep getting smarter and their attacks keep getting more sophisticated. The high demand leads to an ongoing shortage of information security professionals. The InfoSec Institute estimates there is a worldwide staffing shortage of nearly three million in the cybersecurity field, half a million in North America alone. On average, it takes most companies 3 to 6 months to fill a vacant InfoSec position, and over 25% of companies fail to recruit the talent they need. This article will cover how individuals that have an interest in cybersecurity can get into InfoSec. There will be a second part to this blog that will consider measures companies can take to protect themselves, despite the shortage.
The Challenge
The U.S. Bureau of Labor Statistics estimates the number of IT security jobs is expected to have increased 18% by 2024. The challenge is that there will be nowhere near enough skilled candidates to fill those jobs. Most cybersecurity professionals start out in different areas of work, as cybersecurity is still considered a new profession. Many people who would like an infosec or cybersecurity career are not sure of how to go about acquiring qualifications. However, more colleges are expanding their cybersecurity curricula, which could attract more students who have an interest in this field.
As the demand to find skilled candidates increases, drawn-out hiring processes can discourage jobseekers. As a result, they may find employment elsewhere. In other instances, the people recruiting lack cybersecurity expertise, which can make it difficult to identify the right candidate. It is important for employers to have realistic expectations when hiring a cybersecurity professional. Descriptions for cybersecurity positions should accurately match the knowledge and skills the role requires. Many companies have opted for providing cybersecurity/Infosec training for their current employees. Investment in cybersecurity skills through training benefits both the individual and the employer. Employees will be less likely to seek employment elsewhere if they believe their current employers value the importance of their skill development.
Filling the Gap
Solving the shortage of cybersecurity professionals will not happen overnight, it will take time and effort. However, in the short term, employers can make progress by adjusting their hiring expectations, streamlining the recruitment process, and tapping underserved talent pools. Many times, employers prefer experience as an InfoSec professional over textbook expertise. Therefore, we need to train more InfoSec experts if we hope to counteract adversarial hackers. Companies can benefit by cross-training IT workers in the field of InfoSec. By providing this type of training, organizations can effectively increase cybersecurity/InfoSec in-house talent to safeguard their information systems.
Another way to bridge the gap is diversity. By embracing gender diversity, companies can benefit from the fact that women and men gauge risk differently. Jane Frankland, author and managing director of Cyber Security Capital, said “Typically, women are more risk averse and their natural, detailed exploration makes them more attuned to changing pattern behaviors – a skill that’s needed for correctly identifying threat actors and protecting environments.” A diverse cybersecurity team offers different points of view and ways of thinking, which can put businesses one step closer to staying ahead of their attackers.
In Summary
In summary, yes, there is a severe InfoSec talent shortage. Yes, it’s getting worse. In the meantime, criminal hackers have become more advanced. This does not mean that all hope is lost. Every day there are more people interested in a career in InfoSec. There are more schools that are offering not just cybersecurity courses, but also offer courses on InfoSec. SECOM will be launching the first ever Institute for Social Engineering (ISE) very soon. To obtain more information on ISE, feel free to contact us on our website. While we cannot control the growth of malicious hackers, we can educate ourselves, our families, and employees. At SECOM we offer professional corporate services that provide education and training specific to the tactics that hostile attackers use to influence, as well as manipulate people. For a complete list of the services we offer, please visit our website, Social-Engineer.com.
Sources:
https://www.infosecinstitute.com/
https://blog.isc2.org/isc2_blog/2018/02/cybersecurity-hiring.html
https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm
Image:
https://informationsecurity.princeton.edu/events/becoming-information-security-professional