As with many tech sectors, cybersecurity has been facing an increasingly large worker shortage over the past decade. But unlike most other talent shortages, this one is set to have a material impact on consumer safety.
That’s not just idle speculation, says Candace Worley, vice president and chief technical strategist at McAfee. A fourth of the 775 IT decision makers who responded to a 2016 survey by McAfee and the Center for Strategic and International Studies blame company breaches on unfilled critical cybersecurity positions.
“There’s just not enough cybertalent, not enough people with the level of expertise needed,” Worley tells The Parallax. “There [are] more fresh college grads from STEM-based majors, but they don’t have the experience of surviving a breach.”
The cumulative impact on the industry will get worse, with more easily breached systems as only part of the problem, she says. Eighty-two percent of respondents to the McAfee-led survey reported a shortage of employees with the necessary cybersecurity skills, and 71 percent said not being able to hire enough people with those skills is making their organization more vulnerable.
More than 1.8 million cybersecurity jobs will go unfilled by 2022, a 20 percent increase over 2015, according to the Global Information Security Workforce Study by Frost and Sullivan and the International Information System Security Certification Consortium. Two-thirds of its survey respondents said they don’t have enough hackers on hand to adequately respond to cybersecurity threats.
The cybersecurity worker shortage isn’t a new issue. IT trade organizations have been worrying about the employee deficit for at least a decade. And while more than 200 colleges and universities are currently training students to become the next line of cybersecurity experts, private businesses and public agencies must come up with alternative solutions in the interim for one simple reason, says Worley: “We don’t have enough people coming out of STEM in college.”
In order to defend against malicious hackers, cybersecurity experts must be creative thinkers, says Michael Dunn, the founding dean emeritus and professor emeritus of the Indiana University School of Informatics, Computing, and Engineering. The IU school, which opened its doors in 2000, launched one of the first multidisciplinary college programs designed to address the complex training cybersecurity experts require. In addition to coding, its coursework emphasizes ethics and statistics, he says.
“We attracted students who might not have otherwise gotten into computer science,” he says. The IU approach, which incorporates courses across different schools within the university, has been adopted by the University of Edinburgh, the University of California at Irvine, and others around the world.
The important role academia plays in codifying what used to be a more do-it-yourself skill set can’t be understated, says Gary McGraw, a founding father of the cybersecurity field and currently the vice president of security technology at Synopsys.
“Twenty years ago, there were no people who claimed to specialize in software security,” he says. “We’ve made huge progress in the field of software security, in regards to whom we can hire.”
As an executive with decades of experience hiring security experts, McGraw says companies should be aggressively pursuing women and minorities to fill open cybersecurity positions.
“We need to involve more sets of people that have not been as welcome as they should be in high engineering,” he says. “Women and other minorities who are successful are great role models. And role models are a great, well known, and understood way to have a great impact on future generations.”
Companies and government agencies should also be training current employees in cybersecurity, says Mark Weatherford, who in 2011 was named the first deputy undersecretary for cybersecurity at the Department of Homeland Security. Weatherford, now the chief cybersecurity strategist at security company VArmour, says that could mean teaching software engineers to think like hackers, or teaching employees with liberal-arts backgrounds to code.
“When the space shuttle program shut down, NASA offered retraining. It’s not a new phenomenon” in government, he says. And it might be an approach that startups and public agencies, which don’t necessarily have the cash reserves to hire top-of-the-line hackers, need to take.
Government agencies are facing particularly challenging cybersecurity employee shortages. Along with smaller purses to attract top talent, the security clearances they require often limit the talent pool from which they can recruit. Marijuana use apparently no longer represents a hiring blocker, but educational limits and criminal records do.
Weatherford argues that in order to make up for limited resources and hiring restrictions, federal agencies should be more judicious about determining which material to classify, and should consider building offices outside of the D.C. Beltway in more appealing, more affordable locations like Denver, near his home in Colorado Springs.
In the meantime, some employers are looking to automate or outsource their cybersecurity operations, at least in part. Microsoft in June spent a reported $100 million for the Israeli artificial-intelligence cybersecurity company Hexadite, underscoring the importance of automation as a partial solution to the workforce shortage. But AI comes with its own set of pitfalls, including an already common problem in cybersecurity: the reliance on third-party software components. AI, like components, may come with inherent weaknesses that only a human monitor could catch.
Ultimately, keeping network and computer systems secure depends on having security integrated from the earliest stages, McGraw says. And doing that is going to cost a lot more money—even more than the $90 billion that Fortune 500 companies are expected to spend on cybersecurity this year. A June study by the Ponemon Institute and IBM found that data breaches cost on average $3.62 million.
“The shortage is even more drastic in software security because we need people who understand software and understand security,” McGraw says. “The only way forward in security is to build software that doesn’t suck.”