1(630)802-8605 Ravi.das@bn-inc.net

Out of all the possible career paths that one could choose, whether it is after college or graduate school, or even during the phase of a successful career, we keep hearing about the lack of skilled workers in the Cybersecurity field.  I have been in IT for over 20 years myself and have never heard of such a worker shortage.

I think the last time I heard of anything this severe was back in the late 90’s, during the heyday of the Internet boom.  It seemed like all of these dot com startups wanted to have anybody that could do software development, especially when it came to the .NET Framework, Cold Fusion, Java, Oracle, etc.  Although these technologies are still being used, you really don’t hear about a job crisis in them like we are hearing in Cybersecurity.

But the numbers that we keep getting in the news are just general, macro numbers.  For example, the news media reports overall shortage, we have never heard about what Cybersecurity titles are exactly in demand, or how the impacts of the workforce shortage are being felt Corporate America. 

Well, that is until now.  In order to give us a much better insight to this, the Information Systems Security Association (also known as the “ISSA”) conducted a survey, along with the Enterprise Strategy Group (also known as the “ESG”).

Here is what they found:

*Overall, 74% of organizations have been impacted by a Cyberattack just within the start of this year, and although there are many reasons, one of the biggest ones is that of an IT Security staff that is just spread too thin.

*48% of the companies have experienced a major Cybersecurity breach within the past two years.  Apart from the hit that was taken on the bottom line, they also reported a severe downtime when it came to reestablish worker productivity.

*Because of the lack of a well-trained IT Security staff, 91% of the organizations polled in this survey feel that that are much more prone to a Cyberattack, even after deploying newer Security related technologies.

*94% of the respondents in this research survey feel that they are totally outnumbered by the daunting force of Cyberattackers – once again, they blame the lack of Cybersecurity workers that are on their staff.

*It was also discovered that 63% of the organizations polled in this survey do not even provide adequate training for their existing IT Security staff, specifically in these areas:

               *Cloud Security;

               *Applications/Software development security;

               *Security analysis and forensics.

But there are always two sides to an issue.  As much as Corporate America complains that they have a lack of skilled Cybersecurity workers, the existing workers that they do have possess their own set of complaints as well, which are as follows:

*40% of the Cybersecurity workers feel extremely frustrated in trying to convince upper management (especially the C-Suite) to buy into their ideas and initiatives;

*84% of the workers have stated that their employers are trying to take a much more proactive role in trying to compliant with GDPR, but in the rush to do this, almost 45% of them claim that they feel they do not have enough resources or guidance from the C-Suite in order for compliance to actually happen.

*Even members of the C-Suite are afraid of losing their job, especially that of the CISO.  According to the survey, up to 33% of their employers are now making use of what is known as a “Virtual CISO”, or a “vCISO”.  The thinking here is that why pay a six-digit salary when the same level of work can be done for literally pennies on the dollar outsourcing this role to a third party?

In order to combat all of this, President Trump and his administration just signed an Executive Order in order take proactive steps to shorten the Cybersecurity workforce gap.  Although this is a good step forward, once again, it is too broad and general, with no specific actions being mentioned. 

One area that was clearly mentioned, however is that the Executive Order will allow for the Department of Homeland Security (DHS) to partner up with Corporate America and private industry, in order to help step up recruitment efforts, known as the “Federal Cybersecurity Rotational Program.”

My thoughts on this?

To be honest, trying to fill the void in this Cybersecurity workforce shortage will be a difficult and long task.  One would think, that people would just jump in board, and make a huge career shift to a much higher paying and stable job.  But this is not always the case, as the survey has revealed.  Even the Cybersecurity workers that are currently employed are venting some serious frustrations.

It’s not that they do not command a high salary or have great benefits.  These workers often work very long hours, (up to 12 hours straight) without enough of a rest period in between this long shift.  This is just one thing, but they are also expected to work miracles, and prevent Cyberattacks from occurring.  But remember, this is the responsibility of all employees, not just the IT Security staff

Also, in order to keep your existing IT Security staff from burning out, the C-Suite needs to take more time in being proactive in listening and engaging into their ideas for new initiatives.  Remember, each and every suggested project may not be implemented, but the act of at least listening will go a long way in boosting Cybersecurity morale and productivity.

In other words, make your Cybersecurity workers feel appreciated by giving them tokens of appreciation-such as cash awards, bonuses, gift cards, free passes out to a date with their significant other, discounts to the gym in order to relieve mental stress, etc.

But this is from the employer side of things.  How about from the recruitment side?  Well, I have written a lot of articles on this, and there are a lot of tools and venues out there how to lure top talent.  This ranges from offering internships to college students, having Cyber related boot camps for teenagers while they are still in high school, and even making hackers turn over from the proverbial bad side to the good side.

While all this is great in order to lure people in to apply and be accepted for Cybersecurity jobs, the trick is how to keep them further motivated so that they will continue to stay in Cybersecurity for a career for the long term and continue sharpening their skillset?

This question is even more difficult to answer than the employer side of looking at this.  Human motivation is a very complex and difficult thing to answer, and ultimately, it will be up to the employers in Corporate America as to how they will do this.  But each and every company is unique in this, so there is no easy answer to it.

But there is one thing to say with absolute, 100% certainty:  If you want a job, they will always be available in Cybersecurity.  But how you get there depends upon you and the organization you ultimately work for.

Finally, further details on the study can be seen at this link:

https://www.esg-global.com/esg-issa-research-report-2018

Details on Trump’s Cybersecurity Executive Order can be seen here:

https://www.dhs.gov/cisa/news/2019/05/02/white-house-cybersecurity-workforce-executive-order-bolsters-us-frontline