Overcoming the Cybersecurity Labor Shortage

With more reports of data breaches this year than ever before, companies are recognizing the need to ramp up their cybersecurity efforts. But if you’re trying to build out a dedicated cybersecurity team, you’re probably coming up short.

If this is the case, you’re in the majority. According to ISACA’s State of Cybersecurity 2019 Report, 69 percent of organizations have understaffed cybersecurity teams. Meanwhile, cybercriminals are increasingly sophisticated, gaining access to major companies from Capital One to Facebook to Marriott in 2019 alone. It’s imperative to have the right people to proactively guard against attacks and respond to them when they occur. But when cybersecurity positions are unfilled, your staff will be stretched too thin to defend your business.

In a candidate-driven job market, you cannot count on finding expert new hires to fill every needed cybersecurity role. And unfortunately, you can’t count on retaining the experts already on your team; employees are lured away by better salaries, bonuses and benefits.

Tech decision-makers need new and better ways to stay ahead of the labor shortage that don’t deplete resources or drive employee burnout. While the skills gap may begin to narrow as more universities offer dedicated cybersecurity programs, employers should expect to struggle with keeping full teams in the immediate future.

Rather than boosting hiring and retention efforts, companies must therefore understand why cybersecurity expertise is in short supply—and what other solutions can help them address the labor shortage.

Why Is It So Hard to Find Cybersecurity Professionals?

It’s important to understand the factors behind the cybersecurity labor shortage in order to effectively respond to it. As the need for IT security within companies grows, the workforce supply hasn’t kept up. There are a few factors that likely contribute to this crisis.

First, very few colleges offer dedicated cybersecurity programs, with the first undergraduate honors program launched at University of Maryland in 2013. Even tech-focused schools generally don’t have defined security tracks, meaning that people who want to get into the field must tack extra certifications onto their more general tech degrees. Because tech degrees tend to be vocational, students aren’t given the option to explore cybersecurity as an interest while in traditional four-year degree programs. It seems the education sector sees the growing need for people skilled in security, and I expect schools will begin to build out security tracks more in the coming years.

Additionally, many students entering tech programs don’t naturally gravitate toward security. Within the tech community, people want to build things—whether that’s the next big app or a beautiful new website. Information security, by contrast, isn’t nearly as sexy. Add to this the fact that it’s seen as a tough gig that doesn’t allow for work-life balance (cybersecurity teams are on call 24-7, responding to data breaches whether it’s a holiday or 3 A.M.), and incentivizing students to enter the cybersecurity industry is a tough sell.

The inherent challenges of IT security will not disappear, and shifts within education systems take time to materialize, so we can expect to continue to struggle with the shortage. Tech leaders should use this as an incentive to seek help from trusted advisors to create a more secure, cost-effective strategy to protect their data.

How Can Businesses Respond to the Shortage?

Partnering with a trusted advisor to obtain reliable third-party experts enables your network engineers to refocus on other critical work, opening up resources to spark business growth while also ensuring your organization’s software and protection plan is always up-to-date.

Most organizations relying on staff members who are stretched too thin will only have one line of defense between their information and criminals. When that line fails, attackers are free to have a field day with your valuable data. This is where a trusted advisor can help. Trusted advisors will work with you to develop a layered approach to defense and connect you with MSSPs who provide the services you need.

In addition to building up walls to prevent attacks, trusted advisors can identify ways to preemptively protect your data for when an attack occurs. Having a solid disaster recovery plan is crucial in a digital landscape where data breaches are so common. When you are already equipped with these up-to-date tools, you’re able to respond to threats much more quickly than your own team can—especially when you’ve partnered with MSSPs who scour the web for threats and operate from 24/7 Security Operations Centers (SOCs).

Trusted advisors remove stressful and time-intensive tasks from your team’s workload that get in the way of important business operations. Once your IT and management teams are free to focus more on processes that directly impact your business, they’ll be more open to pursuing ideas that drive growth in your business.

Leveraging Third-Party Support

Organizations increasingly understand that partnering with trusted advisors and MSSPs helps them save money both before and during attacks and be more innovative with how time is used. Companies that fail to recognize the value of these third-party resources and instead focus on hiring and retention efforts tend to fall behind, often paying the highest premiums when walls inevitably break down.

Without a doubt, the cybersecurity labor shortage is challenging to navigate. But instead of competing with MSSPs and trusted advisors to find new staff members, empower your staff by partnering with these experts to ensure your cybersecurity is functioning at the highest level.

Ron Hayman is Chief Cloud Officer & COO of AVANT.

5 Responses to “Overcoming the Cybersecurity Labor Shortage”

  1. Michael Pollock

    As someone who has completed a 2 year certification program in cyber security and has a CompTIA Security + certification, I have a few things to add. There seems to be an unwillingness on the part of businesses to create entry level positions in cyber security. Almost all of the positions I see are asking for several years of experience, and in many cases, multiple or higher level certifications. I understand the reasoning, as who wants to spend time having to train and teach someone at the entry level if you can get someone with years experience? Yet, as the article suggests, there is a growing need for cyber security professionals.

    I started out taking network classes when I heard about cyber security and the huge need in the information security field. I transferred to a 2 year cyber security program which included an internship. Now, after having graduated, I am finding employment difficult because the bar for entry is set so high. I don’t mean to make this about me however. Rather to point out that if businesses want to meet the demands of their cyber security requirements, they need to start creating more entry and junior level information security positions. Most of the experts in cyber security have grown up with the tech industry and acquired their knowledge along the way. Those of us entering the workforce have knowledge and perhaps some experience, but we are not ‘experts’. Hence the need for creating entry level positions. It’s the knowledge combined with on-the -ob experience that will eventually develop high level expertise. There will continue to be a shortage as long as businesses only want experts with years of experience.

    • I couldn’t agree more. After reading countless articles about the shortage of Cyber Security professionals and the salaries they can make, I thought it would be an easy transition for me to go from Senior Software Engineer for 15 years / Owner/operator of a Computer Repair shop for 15 years, to a Cyber career. I passed the Security+ (April 2018) and CySA+ (October 2018) easily on my first attempts. The problems I come up with are a lack of a security clearance leaving out Department of Defense jobs (I was flat out told by a recruiter that they were not allowed to sponser for clearance at this time, at least in my area near Offutt AFB) and lack of experience in a Network Operations Center. I also have seen ridiculous job postings asking for CISSP and years of relative experience and NOC background for low paying positions or what should be considered entry-level positions. Those positions will remained unfilled. I’ve also seen a few internships that pay minimum wage; those are organizations looking for slave labor. The bottom line is, Cyber Security doesn’t provide a product for a company to make a profit, so organizations don’t with to put forth the money, time, or effort. I was studying for the PenTest+ and CASP+ exams but figured it wasn’t worth it. I am currently brushing up my software skills and going back to Software Engineering. This whole idea of a Cyber Security shortage or that obtaining a certificate can change your life is a fiasco and will continue to be so until legislation is passed to hold the members of the board and the C-suits personally accountable.

  2. beenThereDoneThat

    as experienced both sides of the house, build vs. operate, there is no time to grow on-the-job training needed for success in this field. ops and security are non-stop very fast pace threat detection and resolve. best bet for entry level talent is to get a foot in the door on the dev / build side of the house.

  3. wageSlave

    A shortage can only occur at a price point at a given point in time. This is basic price theory. Understanding economic theory falls under the category of a defense against the black arts. I do love propaganda pieces that incorrectly frame discussions to avoid the real solution (paying for it) thus pushing a false narrative. The answer is let the market float. If the price is FIXED below the equilibrium, you have a shortage condition at that point in time. If the price is not FIXED below the equilibrium then the shortage goes away on its own over time. It is pretty simple, if the price is allowed to float above the equilibrium the market is incentivized to increase production. OVER TIME the shortage is replaced with over production and this osculation continues until a new equilibrium is reached eliminating the shortage. That is not what is happening with the false narratives and the shortages last forever.

    Salary surveys based on wish list offering prices (price fixing), propaganda induced false narratives (blame educational institutions), and market entry & exit barriers are to blame. The pay is better than minimum wage, but just as inadequate. The pay scale priced below the economic costs of production will never work. Believe me higher education would love to increase production (a new teacher income source), but it cannot do it successfully unless the demand is real. Every community college in the country tries to offer this kind of education, but adequately priced jobs do not materialize and the classes are empty. Shortages do not create demand. Salaries floating above equilibrium do.

  4. I agree 100% with the comment by Micheal P. and Dave A. I started even earlier. I too thought that Cyber Security would be the way to go. I would be transitioning from high end server hardware break/fix (A+, Server+, Network+) to Information Security. In 2007 I started looking for school that would offer courses. It was not until 2008 that I found a local technical college that offered it. I wound up getting an Associates Degree in Information Security in 2011. Since I was working full time my employer would not let me intern. Got laid off in 2012 at the tail end of the great recession. While out of work I studied and got my Security+ certification. I quickly found that the security field is an old boy’s network. If you don’t know someone already in the field, you don’t have a chance of getting a security job. Another problem is recruiters are so non technical that they can’t understand the skills you have and acquired through coursework. Most companies don’t have a security track so that you can get in at entry level. I have not made a dime in cyber security despite my degree. I wish my college had spent more time on classes/activities that brought students to the face of existing security professionals, managers and executives.