According to the 2019 (ISC)2 Cybersecurity Workforce study, almost three million professionals are currently working in cybersecurity worldwide. While that number may seem significant, it hides another reality: an additional four million professionals are needed to fill current and future cybersecurity positions, leaving a large gap between the available workforce and business' needs.
To highlight this, about 65 percent of the organizations surveyed in the study said that they lack enough professionals to adequately fill their security needs, with an additional third reporting that the lack of skilled, experienced security staff remains one of their biggest employment woes.
One key driver of this growing problem is the increasing demand for technology professionals by businesses outside of the actual technology industry. According to LinkedIn, almost two-thirds of all developer jobs are with companies whose main function is not technology--and indeed, almost every modern organization relies to technology to keep their business running. It also follows that if a company utilizes technology staff, they also need cybersecurity staff--but they are increasingly finding it difficult to find qualified professionals.
A key barrier to injecting more cybersecurity professionals into the workforce is the way such professionals start their careers. Currently, less than half of security professionals in the 2019 survey began in the industry. That's partially because there are still few university degrees offered in cybersecurity. While there are plenty of relevant certification programs and organizations are increasingly upping their cybersecurity training budget, there remains a gap due to a lack of understanding on employees' part about the viability of a career in cybersecurity.
Indeed, while there are plenty of campaigns to get children interesting in jobs in coding, robotics and web development, there's a lack of such awareness initiatives regarding cybersecurity.
As (ISC)2 Managing Director Deshini Newman says, "the industry has been shrouded in mystery: it's like a club that's difficult to get into…we have to make it more mainstream, more accessible and more transparent."
In order to do so, says (ISC)2 Chief Operating Officer Wes Simpson, the industry overall also needs to adjust what it sees as necessary in a cybersecurity professional: "Brainstorming, communications, collaborations and teamwork: a few years back those weren't valued in cybersecurity. We just wanted the best and brightest and the technology expert but now we need somebody who can talk and communicate and facilitate. What we're starting to see is that the typical CISO and security role is morphing from needing the traditional computer science background to a much more diverse non-technical background. Security leaders have to interpret data and tell a story that's going to be meaningful to the CFO, the CEO, the board of directors."