Evidence of the cybersecurity workforce shortage continues to mount: By 2022, there will be 1.8 million open jobs in this field, according to the recent Global Information Security Workforce Study from the nonprofit ISC(2)–up from the 2015 estimate of 1.5 million by 2020.
“The numbers are going in the wrong direction,” said Wesley Simpson, COO of ISC(2), of the study, which surveyed 19,000 cybersecurity professionals. “It’s a huge concern to organizations as well as people in this profession.”
One major reason for the shortage? Millennials aren’t going into the field. Only 7% of cybersecurity workers surveyed were under age 29, and 13% were between ages 30 and 34. The average age of cyber professionals is 42, Simpson said.
“Over the next 10 years, we will have a large population of cyber professionals starting to retire,” Simpson said. “We don’t have a good plan to backfill those large number of folks starting to leave the industry. We need to be able to educate and bring awareness to all facets of cybersecurity, and [send a message] that regardless of if you have a technical degree or not, it’s a great, diverse, lucrative career for folks to get into.”
The reason it’s difficult to attract millennials to the field is largely due to their lack of awareness, Simpson said. Cybersecurity is often not on the radar of young children as a potential career, or as being different from general IT work. “This is a field in great demand, with 2% unemployment globally, and an average salary of about $100,000. We’re not doing a good job educating folks about it,” Simpson said.
The security field has traditionally self-selected for auto-didacts, said Forrester analyst Jeff Pollard. People who were curious, analytical, and had a desire to tinker tended to find the security field and explore careers in it. However, “that model doesn’t scale, and security isn’t the only field where people with those traits might find success,” Pollard said.
Further keeping the industry from drawing in younger employees are the job postings, Simpson said: Descriptions for cybersecurity professionals may vary, with different roles, responsibilities, and lexicon used. “Even within organizations, there are different flavors to what we do and what we call it,” Simpson said. “As an outsider, you might see this as disjointed, and it makes it confusing to get into.”
Many job descriptions for entry level security professionals also include specific developer skills, which are not necessarily needed for the position, Pollard said. “You don’t need a bachelor’s degree in a specific field to be great at security; in fact, you don’t necessarily need one at all,” Pollard said. “Recognize that cybersecurity is a skill, and teach people the profession of enterprise security. That means treating it like an apprenticeship or training program.”
It can also be difficult to discern a clear career path in cybersecurity, as many people in the field enter from different areas, Simpson said. Some 87% of cybersecurity workers globally started in another career, many of which were not IT related, the ISC(2) study found.
Plus, security is a wide field with vastly different roles, including penetration testing, application security, incident response, and malware analysis. “There are dozens of ways to specialize in the security field that are absolutely not obvious to someone breaking into the field,” Pollard said. “Young people may not know that the there are other options than working in a security operations center for two years, or getting an accounting degree and going to work for a consulting firm for a few years. There are tons of other jobs, specialties, and options available to become a working security and risk pro.”
Companies also tend to seek cyber recruits from the same pipeline of STEM graduates, Simpson said, largely ignoring those in the arts and other nontechnical fields. And potential job candidates tend to believe that if they are not a computer science major, they cannot get into the field, he added.
“That’s wrong–history or psychology, for example, are great degrees to have in this field, due to the depth of analytics, research, and ability to take information and craft into into the right mechanism for the right audience at various levels up and down the organization is difficult for the real technical-type person,” Simpson said.
SEE: Information Security Certification Training Bundle (TechRepublic Academy)
Millennials–the most diverse generation yet–fit particularly well in the cyber industry, with its various components and needs. “The hackers are very diverse, located all over the world–they think differently and move quickly,” Simpson said. “We need those different personalities, experiences, and degrees. We need to think they way they do.”
Women of all ages are an untapped resource for cybersecurity positions, as they only make up about 11% of cybersecurity workers globally, according to another ISC(2) report. Companies should also look to veterans, with their skills in communication and leadership, and members of their existing workforce to potentially fill cyber gaps, Simpson said.
However, social and professional networks remain the top recruitment tool favored by cybersecurity hiring managers, though it is unlikely that these circles include many young people, women, or people from diverse backgrounds, the report noted. And when considering new applicants for a position, 94% of hiring managers indicated that previous experience in the field was an important consideration.
“In order to fill the worker shortage, current methods of hiring and recruiting must be adapted to keep pace with the changing workforce, and this includes exploring non-traditional channels of recruitment,” the Global Information Security Workforce Study stated. “Current practice creates barriers to entry that both limits the breadth of expertise attracted to the profession, and the ability to address the skills gap itself.”
For more tips on how to fill cybersecurity gaps, click here.