A new collaborative research by Intel Security and the Washington-headquartered Center for Strategic and International Studies (CSIS) has detailed how the shortage of cybersecurity skills is the root cause for significant data loss, which damages finances and reputation of countries and businesses.
The study detailed reports from cybersecurity experts from various organisations in the US, UK, France, Germany, Australia, Japan, Mexico and Israel, and 82% of them confirmed there was a shortage in workforce.
The study titled Hacking The Skills Shortage revealed that in 2015, over 200,000 cybersecurity jobs were left vacant in the US alone. The disturbing statistics were noted, despite 1 in 4 IT experts confirming that their organisations had lost proprietary data due the shortage of skilled professionals. Additionally, the research estimated that an average of 15% of cybersecurity positions will remain vacant by 2020.
Intel Security CTO (Emea) Raj Samani told IBTimes UK: "It has been estimated that total global cybersecurity spending will exceed $100bn [£763m; €908m] over the next four to five years. Yet, beyond this investment, the shortage of cybersecurity skills can also lead to huge costs for businesses as a talent shortfall could make organisations more vulnerable to attackers. A lack of sufficient cybersecurity staff could encourage cyber thieves to target a specific business, resulting in data loss or theft, reputational damage and the possibility of large fines."
While, James A Lewis, senior vice president and director of the Strategic Technologies Program at CSIS explained, "A shortage of people with cybersecurity skills results in direct damage to companies, including the loss of proprietary data and IP. This is a global problem; a majority of respondents in all countries surveyed could link their workforce shortage to damage to their organisation."
Supply and demand
One of the reasons why the industry is experiencing such a shortage is due to the dramatic rise in demand for cybersecurity professionals, which has outpaced the supply of qualified professionals required. In fact, the study revealed that only 23% of respondents felt that academic programs were adequately training students to enter the industry.
Samani said, "Certain skills are in high demand. Our research found that the most desirable skills are intrusion detection, secure software development, and attack mitigation. Those with experience in these areas will be highly sought after.
"A number of academic institutions already provide courses around cybersecurity. That said, it is a relatively new industry. Whilst the number of academic courses focused on cybersecurity may be considerably lower than traditional programmes, professional certifications which focus on niche security areas – thereby allowing participants to specialise in a certain skill – are on the increase. There are ways to access specific cyber skills which do not involve a degree course."
The report also indicated that non-traditional training methodologies like hackathons, gaming exercises and hands-on training may in fact be more effective in mitigating the skills shortage.
Cost and damage
Given the current skills shortage, the industry will be hard pressed not to consider increasing its spend on cybersecurity. The study revealed 71% of respondents who spend more on security are consequently better equipped to deal with the blowback of the skills shortage. Samani added, "Different organisations will need to invest differing amounts to ensure sufficient security measures are in place. Businesses may even assign different budgets across separate areas of the business in order to reflect the varying levels of sensitive data handled by each department."
Room for improvement in cybersecurity recruitment
The study further revealed that while salaries are undoubtedly the top motivating factor in recruitment of skilled professionals, additional incentives such as growth opportunities, additional training and overall reputation of an organisation's IT department, play an important role in attracting and retaining qualified staff.
"Just as high growth, high salary careers in cyber security are bringing job seekers into the cybersecurity market, many recruiters are also just getting to grips with the wide variety of skills and qualifications within the sector. Inexperienced recruiters with little knowledge of the market will struggle to find the right person for the job. To attract the best candidates, businesses must ensure an effective and well executed recruitment strategy is in place to choose the right employee from the available pool of cybersecurity talent," Samani explained.
He also said that although the cybersecurity skills shortage is "not necessarily an immediate threat", it remains an important challenge that needs to be addressed by both businesses as well as governments. Calling for a balanced attitude in addressing the issue, Samani added, "It's often best to consider a blended approach – a combination of people, process and technology. Hire the right candidates but ensure innovative technology is in place to lighten the load for staff."