The shortage of cybersecurity workers, a perennial challenge for public institutions and businesses large and small, has long been described as a “crisis,” more urgently so as post-pandemic reliance on digital communication — exemplified by those ubiquitous Zoom meetings — has opened expanded avenues for getting hacked, ransomed or compromised in numerous other ways.
According to CyberSeek, a project whose partners include the labor market analyst Lightcast, the National Initiative for Cybersecurity Education and the IT certifying body CompTIA, unfilled cybersecurity positions numbered 663,434 in June. That’s slightly more than half the total of the nation’s employed cyber workforce.
It’s typically viewed strictly as a talent issue. Witness myriad statewide initiatives to develop that “next generation” of cyber sleuths. In California, which boasts the nation’s most robust cyber workforce (121,495) but also the most IT security job openings (69,213), Prof. Tony Coulson of California State University, San Bernadino referred to it as an “all hands on deck” moment during a recent online symposium sponsored by the California Council on Science & Technology.
“We need the 18-year-olds,” he said. “But not just them. We need everybody. We need that person who’s trying to reskill. We need veterans. We need homeschoolers.”
But a CompTIA official who spoke with me in June suggests that all those open IT positions reflect more than just a shortfall of workers. Yes, we could use more cyber defenders, believes CompTIA Chief Technology Evangelist Dr. James Stanger. But if an organization has an IT security staffing shortage, the remedy might lie in taking a closer look at its needs and aligning them to a labor force that is out there already.
“We are over-reliant on four-year degrees,” Stanger says. “There are a lot of smart people out there and a lot of levels of training. Yes, we want good people, but a college degree is not necessarily an indicator that you’ve picked up those necessary skills. So, what we’re doing,” he laments, “is applying a 1960s model that doesn’t fit anymore. There needs to be some new thinking here. There is a supply of workers out there, and it needs to be recognized.”
Creating Risk Through Risk Avoidance
Stanger offers up an anecdote that serves to illustrate his thinking.
“I was talking recently to a CIO in Nashville. She’s been in the security industry for about 15 years doing heavy-duty stuff. She told me she was looking at the description for an entry-level security job and figured that even she couldn’t get it. It was a job that pays a third of what she makes and requires less than a third of what her experience is.”
What’s happening, Stanger believes, “is that we’re over-spec-ing and over-preparing these job descriptions because it’s a risk-oriented job. In the end, we’re taking on more risk because we’re not getting the employees we need.”
Drawing from data provided by Lightcast, Stanger says that half or more of postings for cybersecurity analysts require at least a bachelor’s degree.
“That’s a problem,” he says.
And the “crisis” extends, he believes, to properly deploying the talent that a company might eventually manage to land.
“There are a lot of organizations out there that are kind of like the dog that caught the car. What do you do when you catch it? A lot of them,” he believes, “are still a little leery about technology to begin with. Trying to secure that technology, utilizing people who understand both the business and the technology, can be very intimidating.”
Even as organizations have come to embrace digital transformation, many, Stanger believes, still tend to approach security almost grudgingly.
“There needs to be some new thinking here. There is a supply of workers out there, and it needs to be recognized.”
— Dr. James Stanger, Chief Technology Evangelist, CompTIA
“It’s always wonderful to talk about proactive security,” he says, “but what hasn’t much changed is that we’re still treating security as a cleanup kind of issue. What I see is organizations that are more mature in their approach do far better in growing their business than ones who just kind of say, ‘Well, the security folks will clean up the mess afterwards.’”
AI to the Rescue?
The increasing adoption of artificial intelligence, Stanger believes, could be a net-plus for organizations that are serious about cybersecurity.
“AI,” he says, “is going to solve a lot of problems. It’s a force multiplier. It’s very good at doing the kinds of repetitive tasks that tend to tie down cybersecurity professionals and thus reduce their productivity. If AI can take care of that 80% of the work that is repetitive, then I can put together a team of five developers that can handle the remaining 20% and do so much more productively. It’s going to allow them to punch above their weight.”
Still, AI does not represent a panacea, especially since cyber criminals enjoy access to it, as well.
“These aren’t hoodie-wearing teenagers,” says Stanger. “These are very sophisticated organizations that have HR policies, time off and things like that. So, it’s going to come down to who trains their AI the best. It’s definitely spy versus spy. It’s going to be about who gets there first, whether for good or for evil.”