<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

The Cybersecurity Skills Gap

down-arrow

The cybersecurity skills gap is nothing new to the seasoned cyber professional. It has been widely discussed in cyber and information security circles for some time. The main flag that many, including TechCrunch, are currently citing as an indicator that the skills gap is widening is the (ISC)2 report stating that there are now almost 3 million cybersecurity jobs unfilled worldwide. Having been a part of the skills gap conversation from multiple sides - as a cybersecurity research fellow at MIT, a Fortune 50 CSO, and collaborator on numerous NIST cybersecurity initiatives, I’ve considered the root cause of the skills shortage that our industry is facing and how this problem will be solved.

Why A Cybersecurity Skills Gap Emerged

In the early days of information security, it was seen as a niche specialty within computer science (an already niche field). For technical leaders in the late 90s and early 2000s, computer science in practice was not learned in a university setting - the skills were acquired as needed. Furthermore, the complexity of a field such as cybersecurity makes answering the question “so what do you do?” extremely complicated. As early members of the now exponentially growing field of cybersecurity, being ambassadors for the field is difficult - explaining cybersecurity to a spouse is incredibly complicated, let alone communicating it to a high school senior or college freshman. The way by which current information security leaders acquired their skillset is very different than what these new positions are seeking now. We are reaching an inflection point in the cybersecurity skills gap that I believe could already have been solved.

The Cybersecurity Skills Gap Inflection Point

The inflection point that I’m referring to is the intersection of the general public’s realization that the digital world and the physical world are far more closely connected than we realized, and the fact that to date members of industry and academia had not considered cybersecurity as a foundational principle of computer science. While many have been sounding the alarm for years, we are now seeing the cybersecurity skills gap widen even further as the demand increases and the supply is not there - yet.

Adjust Your Timeframe

Having worked in both academia and the corporate world, I have seen the juxtaposition of the timeframes of these two environments: corporations move exponentially faster and rely on the forces of public opinion and demand, both of which are moving exponentially faster given the rapid pace of technological advancement. So there you have your source of increased demand. On the supply side, we have academia. Academia, at its fastest, moves in four-year generations. One change made with one class requires fours years to see the impact of that change. What we see with the skills gap is the demand growing faster than the supply can support.

NIST’s NICE Intervention

Foreseeing the gap that many are only starting to see today, I was apart of a team assembled by NIST to solve what could be the defining skills shortage of our era. Some foresaw the supply and demand equation that I outlined above in the public and private sectors, and the solution we developed was a government program that would be able to supplement the supply generated by the academic institutions.

NICE: National Initiative for Cybersecurity Education

NICE emerged as a partnership between government, academia, and the private sector to help augment existing members of the workforce and engage students to realize how cybersecurity fits into their education. When we first began developing programs at NICE, we started at the Masters’ level - educated enough to realize the need but probably still involved in the private sector. However, as time went on, we discovered that that was not sufficient. We went further back to undergrad, then high school, and eventually built out a K-8 curriculum. The fact was and still is, that cybersecurity is as critical as physical security and future generations will probably see little difference between the two.

Back To The Skills Gap

So great, NICE has been working for years on this problem and yet we are skills seeing an increase in the skills gap - is it not working? No. The fact is that while NICE has been able to supplement the supply of cybersecurity workers delivered by academia, education cycles are some of the longest. While demand continues to skyrocket, the supply is not going down it has merely not increased at the same rate.

The Solution Is Here

The alarms that many have raised recently are not new - instead, the awareness is. While I believe we have a sustainable solution in place, sustainable initiatives take time to implement. In my next post on the skills shortage, I plan on discussing the use of “new collar” workers as a stopgap to the expansion of the cybersecurity skills gap while initiatives like NICE are implemented for the long term. 

You may also like

October Product Update
on October 3, 2022

Hey, Jimmy - is it really always 5 o’clock somewhere? If not, it should be! With this release, we’re focusing on empowering our customers to work smarter, not harder. Whether ...

How Does FAIR Fit into ...
on September 26, 2022

The Factor Analysis of Information Risk (FAIR) methodology breaks down risk into elements that organizations can compute, understand, analyze and quantify cyber threats and their ...

All-in-One Cybersecurity Board ...
on September 19, 2022

CISOs and Board Members can no longer ignore the importance of cybersecurity. New cyber attacks and threats surface every week and threaten the security of business operations. ...

Rules for Effective Cyber Risk ...
on September 12, 2022

Cybersecurity threats are becoming more challenging for businesses. According to PurpleSec’s Cyber Security Trend Report in 2021, cybercrime surged by 600% during the pandemic, ...

A Pocket Guide to Factor Analysis ...
on September 14, 2022

FAIR, short for Factor Analysis of Information Risk, is a risk quantification methodology founded to help businesses evaluate information risks. FAIR is the only international ...

Your Guide to Cyber Risk ...
on August 30, 2022

During the pandemic, online businesses flourished as people turned to e-commerce stores to shop from the comfort and safety of their homes. This unprecedented expansion of ...