You Can’t Hire Your Way Out Of The Skills Shortage… Period.
Training alone can’t close the cybersecurity skills gap. It’s just math.
A major component of President Trump’s recent executive order on cybersecurity (see Sec. 3, Part D) calls for “workforce development” as part of strengthening the nation’s overall cybersecurity posture. While there has been some optimism around the potential for closing the massive cybersecurity skills gap by training more people, a look at some hard numbers clearly demonstrates that training alone will not even come close to addressing the massive skills gap the country faces.
That’s not to say that workforce development is a wasted effort – encouraging young people to seek careers in cybersecurity will certainly be part of the solution. As the volume and complexity of threats increase, we need smart people that will continue to stay ahead of criminal – and even state-sponsored – elements that are only becoming stronger and more organized. Cybersecurity proponents have recommended things like building “corporate universities,” promoting STEM boot camps for kids, and setting realistic expectations at the entry level to help address the talent crisis. These are all good ideas that shouldn’t be discouraged, but they’ll never be enough.
To clearly see the size of the gap that will still exist if we try to solve this problem with manpower alone, you just have to look at the numbers.
The non-profit Center for Cyber Safety and Education predicts that there will be a global shortfall of 1.8 million cyber security workers in the next five years. Anyone will admit that’s a big number, but just how big is it? To put the size of the shortfall in context, consider that colleges and universities in the U.S. are expected to award a total of 1.9 million bachelor’s degrees during the 2016-17 school year, according to the National Center for Education Statistics (NCES).
So, one way to close the gap quickly would be for nearly every single college graduate this year to enter the cybersecurity field. But obviously, that’s never going to happen.
How many people can we expect to graduate and go into cybersecurity careers? Experts have pointed out that the number of young people entering into IT-related fields may have slowed down a bit at some point during the last 10 to 15 years as many companies turned to offshore outsourcing, and the market for IT skills started to look bleak. But that pendulum has swung back, and information security is now lauded as an area with abundant opportunity for job growth and career stability.
IT and cybersecurity have been a bright spot in the job market, offering promising careers to college graduates for at least a few years now. And going back to data from NCES, that knowledge incentivized 59,581 people to earn degrees in “computer and information sciences” fields during the 2014-15 school year. Again, it sounds like a significant number, but it only accounts for about 3 percent of all the bachelor’s degrees awarded. And remember, that number reflects all “computer and information sciences” degrees, not just those related to cybersecurity. But for the sake of argument, let’s say that all 60,000 people were going into cybersecurity jobs. If that were the case, it would still take 30 years to fill a shortfall of 1.8 million people.
To continue with the “best-case” hypotheticals, let’s assume companies were able to hire all the trained professionals they needed to secure their data and infrastructure. Getting all those people on the payroll would simply be cost prohibitive. One of the easiest ways to demonstrate this is by looking at the time and resources it takes for level 1 and 2 cyber analysts to investigate and remediate threats.
On average, an enterprise organization can receive around 10,000 security alerts per day, and that number can increase exponentially at larger companies. A few years ago, BP’s CEO spoke to CNBC about the volume of attacks at his company saying, “we see as many as 50,000 attempts a day like many big companies …”
These alerts take time to investigate, and when a threat is found, even more time to remediate. On average an experienced analyst can perform roughly 10 investigations per day. So, to field the 10,000 alerts that many organizations receive, you’d need 1,000 people. If the salary for those people averaged out to about $100,000 each, a company would be spending $100 million just investigating alerts.
And remember, we’re only talking about the manpower needed to investigate and remediate threats. This accounts for a lot of the heavy lifting in securing an organization, but there are also a number of other jobs required to implement a comprehensive IT security strategy.
While developing the cybersecurity workforce should be applauded, it’ll fall way short of the ultimate goal of ensuring that important data and infrastructure is secure. Even when using some very generous hypotheticals, the numbers just don’t add up. We’ll be hard-pressed to find enough people able to fill the number of cybersecurity job openings, and even if those people existed, employing them all would be cost-prohibitive.
The attacks on our networks are getting more aggressive because the people directing them are using highly coordinated and automated technology. To be successful at defeating them, we need to fight fire with fire and start doing the same. Getting more people into the cybersecurity field and making sure they’re highly trained is very important. But we need to help them work smarter, not harder, which is why technology that uses intelligent security automation will be an essential part of the solution.
About the author: As Vice President of Marketing at Hexadite, Nathan Burke is responsible for bringing Hexadite’s intelligent security orchestration and automation solutions to market. For 10 years, Nathan has taken on marketing leadership roles in information security-related startups. He has written extensively about the intersection of collaboration and security, focusing on how businesses can keep information safe while accelerating the pace of sharing and collaborative action.