Scarcity of Cyber-Security

With more than one million cybersecurity positions unfilled worldwide, currently-identified security needs could not be met if every employee at GM, Costco, Home Depot, Delta, and Procter & Gamble became security experts tomorrow.

Scarcity

In the cybersecurity arena, hiring is extremely difficult, and the numbers are here to prove it. With more than one million cybersecurity positions unfilled worldwide, currently-identified security needs could not be met if every employee at GM, Costco, Home Depot, Delta, and Procter & Gamble became security experts tomorrow. Of those one million positions, about 25,000 of them are in the United States’ federal civil service. While some authors tout the idea that working for the government brings side benefits that private industry cannot match (such as a sense of giving back to the community and country), these benefits are clearly insufficient to meet the current demand. The military is also interested in locating additional cybersecurity experts, but their goal is to produce them internally, hence their numbers are not included in this analysis. To be clear, this is a global problem which affects every country, regardless of apparent level of technological integration. Few countries’ governments can match private salaries, and even private industry is unable to hire sufficient security expertise to meet the demand.

A great deal of time, money, and attention is being focused on cybersecurity workforce development, but it is still unclear what long-term effects they will have on the supply of cybersecurity practitioners, especially at the expert level.

Import or Educate?

There are two large-scale solutions for solving shortages in specialized fields - import this talent or grow it organically. These solutions are not mutually exclusive, but they are both limited. The first solution involves finding expert security workers in other countries. The United States has the NAFTA low-friction visa zone and the H1-B visa, but both are limited by outdated verbiage, excluding cyber security experts, or very limited in granted visas.

H1-B visas require significant technical expertise and are capped at 85,000 people, holding at least a Bachelor’s degree (20,000 of which must hold a Master’s or above). The vast majority of H1-B visas—68%—are for computer-related jobs, of which the majority of those positions are, in turn, related to security. Three major American firms—SAIC, Booz Allen Hamilton, and 3M — list a combined 2,986 unfilled positions on their H1-B-specific cybersecurity recruiting pages, as of this writing. The 2014 H1-B visa cap was filled to more than double its quota within 6 days of accepting applications. Presumably, these positions will stay unfilled for at least 12 months, when the application window will open again.

These 85,000 experts—representing approximately 57,800 computer experts, of whom a significant percentage are security-related—do not magically appear on a global scale. Furthermore, a “brain drain” on this scale may be, at an extreme, considered a threat to the national security of the countries of origin.

Just three U.S. firms list nearly 3,000 cybersecurity positions they cannot fill with Americans.

The second category of solutions involves training domestic persons to a sufficient level of expertise in security. Ignoring the obsolescence of the current education system in technology fields, specifically in IT and especially cybersecurity, essentially all first world countries and most second world countries have one or more government-supported educational initiatives to identify and train cybersecurity talent, ranging from educational scholarships to intelligence-agency-led curriculum design, that apply to every level from secondary education to PhD programs. These programs cannot, however, scale quickly or effectively enough to deal with the out-sized nature of the demand for expertise. To take one illustrative example, the entire United Kingdom’s advanced, GCHQ led cybersecurity programs will produce just 66 PhDs with a cybersecurity focus per year—beginning in 2017. Furthermore, the UK has implemented a requirement (starting 2015) for all computer engineering degrees to have complete one elective course in cybersecurity. While educating students at a basic level will, in time, motivate some of them to proceed on with their education and attain mastery, this is a many-year process with no gains at the expert level in the short and medium term.

Across NAFTA, the EU, and BRICS, there are many “computer engineering” educational programs but outside of government-led initiatives, very few are specific to cybersecurity. Furthermore, there are only a handful of PhD programs, world-wide for cybersecurity. In addition to educational programs, business and non-profit groups are trying to stimulate interest both in STEM fields generally, and on cybersecurity specifically through sponsoring events, diversity pushes, and funding grants to schools and other entities. A great deal of time, money, and attention is being focused on cybersecurity workforce development, but it is still unclear what long-term effects they will have on the supply of cybersecurity practitioners, especially at the expert level.

Conclusion

Even very-well-trained students from commendable degree programs will require time and experience to reach the level of expertise required of them.

While this report has focused on the educational programs being launched and/or upgraded to train additional cybersecurity talent, it is important to realize that education is not the same thing as expertise. Even very-well-trained students from commendable degree programs will require time and experience to reach the level of expertise required of them. Beyond a certain point, putting more money into the problem will prove ineffective to shorten the time it takes to develop new security expertise. In the future, countries that depend on “locking in” their security talent by moving the personnel from one country to another will face obstacles in attraction and performance from an individual’s patriotism and competitive “bidding wars” between other companies and nations. A more sustainable idea may be to encourage the sharing of talent and technical resources; this would allow the world as a whole to secure fewer pools of critical data, rather than a multitude of balkanized networks.

Taken together, these factors indicate that it may not be possible for the vast majority of countries to source the necessary security expertise to secure their infrastructure locally. Since security practice is something that can be done across national boundaries, it seems increasingly clear that a significant amount of security expertise must be shared. Any plan that requires a country to source its security talent, its data, or its computational infrastructure locally may be requiring the impossible—and harming the country’s ability to secure its industry. If Fortune 100 companies and World governments cannot quench their own thirst for cybersecurity personnel, how can the small and medium-sized businesses cope with such extraordinary demand? That is where we come in.

Contact Augury IT today for a free network security assessment.

[email protected]  (949) 274-9765.