A Perfect Storm in Cybersecurity

Is there a shortage of cybersecurity talent? What are the main challenges that cybersecurity pros are facing? If you are looking to understand the issues that matter most in cybersecurity, there is no better person to ask than Deidre Diamond, founder and CEO of CyberSN and brainbabe.org.

Deidre has spent over 20 years leading technology and cybersecurity organizations, leveraging her strong sales background in cybersecurity software. Today, she is working to transform the cybersecurity employment marketplace through her two organizations: CyberSN, the largest staffing firm in the U.S. focused solely on cybersecurity, which works as a bridge between cybersecurity professionals and employers; its motto is “Where talent meets its match.” Brainbabe.org develops opportunities for hiring and retaining women in cybersecurity, and also supports those already in the profession, with a communication framework that advances and empowers both women and men in the workplace.

We asked Deidre for her insights into the cybersecurity skills gap, the role of automation in cybersecurity and cybersecurity trends for 2020.

What are the top challenges in hiring in cybersecurity?

Deidre: The cybersecurity talent marketplace is very complex, and there are many problems to be solved. A critical one is connecting cybersecurity experts with their future employers. Although a large portion of the community — 89% — are interested in looking at new opportunities, and as much as 99% are open to moving to new jobs, people often waste a lot of time on job searching. There is difficulty in matching a job opening with the right person with the appropriate skills.

A big part of this problem is that job descriptions are inaccurate. Cybersecurity has 35 job categories and around 115 titles. “Security engineer” can have eight different profiles. With changing technologies, there are many more titles coming that we don’t know about yet. This complexity can be addressed by writing job descriptions and profiles in a common language so they make sense.

There is also a salary problem. IT pros normally make 25% more in cybersecurity than in technology. That’s a challenge for businesses because it’s hard for them to meet salary requirements.

Do you see a shortage of experts? If so, what is needed to address that problem?

Deidre: Right now, there are 2 million cybersecurity roles empty worldwide, and 500,000 of them are in the U.S. However, the biggest problem is talent retention. Right now, the industry is not retaining cybersecurity professionals. If we want to solve the talent shortage, we need to have clearly defined roles and responsibilities, succession planning, and training — we need to invest in career development.

The more companies invest in their cybersecurity talent, the sooner we will see the impact because people will be willing to stay in cybersecurity. When companies have entry-level specialists and succession planning in their security departments, that would change the game. Right now, everybody expects specialists to come out of school already trained, and that’s not how schools work — there is no hands-on training. That is starting to transform, mainly because universities see the problem, but it takes an eternity to change.

How do you see the role of automation in cybersecurity? Can automation help solve the skills shortage?

Deidre: With advancements in technology, there is automation in all industries, and we welcome it. It helps from the perspective of jobs that people like to do — burnout happens less. And that’s critical, because people who are trying to manage vulnerabilities have jobs with high burnout rates. An average cybersecurity employee does a 3-in-1 job, and most of them are emergency workers. Automation will help people enjoy their work, be more efficient, and be able to do things that are more powerful for the company.

Because attacks are growing and being secure is more important than being compliant, it is unlikely that the shortage will become less. We are going to cover part of the job through automation, but certainly that won’t enable us to fully bridge the gap.

Has anything changed in the cybersecurity hiring market over the last five years?

Deidre: The conversation about equality and inclusion is at the forefront now. Many initiatives today focus on policies that push organizations to appreciate diversity. People have begun to understand the need for women in cybersecurity. For a long time it was thought that tech and cybersecurity were a man’s world, a man’s job. That really caused a pipeline problem in the U.S.; we are short of women significantly. But there is also an inclusion challenge — we find that women leave the industry, so the problem is also about culture and working to explain that cybersecurity is more than a keyboard and a hoodie.

The good news that there is a conscious conversation about diversity, which was hard to imagine several years ago. There are many organizations, including my own, focused on making changes, though it takes time. There are many programs like “Girls Who Code” and “Brownie Cybersecurity Badge,” and universities and communities are helping girls think about cybersecurity and be attracted to it.

Final word

Right now, there is an imbalance between demand and supply of cybersecurity professionals. Combined with the lack of gender diversity and ease of burnout of these professionals, it seems like the industry is in a critical situation.

With the rise of cyber attacks and the emergence of new technologies and regulations, the demand for cybersecurity professionals is not going to decrease any time soon. Therefore, it’s ultimately important to pay more attention to the many different factors that contribute to a balanced workforce and workplace for cyber pros. One of these factors is automation — making sure to automate as many internal processes as possible. This simple thing will help ensure that those few cyber professionals in your organization that you spent so much time searching for can focus on what’s really important and let tools and software do the rest.

Product Evangelist at Netwrix Corporation, writer, and presenter. Ryan specializes in evangelizing cybersecurity and promoting the importance of visibility into IT changes and data access. As an author, Ryan focuses on IT security trends, surveys, and industry insights.