Understanding the cybersecurity skills gap

The issue of the cybersecurity skills gap has long been a hot topic for debate. On one hand, there is a growing risk for cybersecurity breaches. Back in 2016, a Telstra report estimated that 60% of businesses had suffered at least one breach every month. The figure had risen from 23.7% in 2015, implying that it could be much higher now.

However, in spite of this growing threat, the International Information System Security Certification (ISC)² reports that there is a skills shortage of about 3 million.

Shocking as these statistics may seem, they leave a glaring hole in the conversation as they fail to highlight the reason for the skills gap. Why is there such an acute imbalance between supply and demand when it comes to the cybersecurity profession? And how can the world fight back? Let’s find out.

Why is there a critical skills gap in cybersecurity?

The digital transformation

One of the most noteworthy reasons for the imbalance has to do with the rapid digital transformation that has a tight rein on the world. Keeping pace with the rate of development and deployment of technology has become nightmarish.

New devices are launched every waking hour based on new technology. However, cybersecurity training is not evolving at an equally dynamic pace. Networked devices, in particular, have become a favorite target as they open up the doors of opportunity wider than ever.

Given the history of cybersecurity and associated threats, it is easy to see why its growth is directly proportional to technological progress. The notion gained prominence in the ’70s when computers became commonplace.

And as they became connected, so did the menace grow in scale and magnitude, a trend that has persisted to date.

A highly dynamic threat

There is also a wide divergence between the rate at which cybercrime approaches are evolving and the potential of cybersecurity professionals to keep pace. Oftentimes, this means that when students graduate from cybersecurity-related courses, their skills are almost obsolete.

This makes it incredibly difficult for them to stay on top of their game and avoid getting one-upped by the bad guys. It does not imply that training in the area is of poor quality. Rather, it only goes to highlight the speed at which criminal malice is outpacing the sector’s ability to train new talent.

The profession has turned into a cat and mouse game, with professionals in a never-ending chase to catch up with cyber threats as they develop. In turn, this creates an even wider gap between the said experts and what they are defending.

Inadequate cybersecurity courses

At the same time, computer science programs are struggling to offer sufficient relevant courses for technologists interested in a cybersecurity career. In the US, for instance, only 42% of the top 50 computer science programs offer undergraduates specific information-security courses.

Though this must be higher than what was available five years back, it is still inadequate at filling the skills gap.

Any hope for bridging the gap?

The above statistics and facts paint a grim picture of the cyber warfare landscape. But does it mean that all hope is lost and the bad guys have won? Well, there is still a ray of hope left, but it requires a change in more areas than one. Consider some of the changes that could remedy the situation:

Continuous learning

As mentioned above, the cybercrime landscape is extremely dynamic, always evolving to stay out of the reach of security experts. Professionals need to adopt a similar approach so as to stay on top of things.

If they move with the tide, constantly updating themselves on the latest tactics and techniques, they will be able to grow and have success.

Looking beyond formal education

Interestingly, though we blame the education system for not offering enough courses, a majority of hackers (over 80%) are, in fact, self-taught. 33.3% of them have studied computer science as undergraduates while 23.3% have studied it in high school or earlier. However, less than 6% have learned their hacking skills in the classroom.

What does this imply? Security education should not be limited to the classroom. It is, in fact, possible to solve the skills gap without changing the education system. Organizations can take advantage of the countless educational tools outside the conventional classroom.

Ethical hackers (white hat hackers) have prepared tons of free course material for anyone interested in enhancing their skills. With this in mind, recruiters no longer need to focus on the college degree or resume. Rather, it’s all in the vulnerability reports.

Collaboration vs. unilateral efforts

For years, key players in the cybersecurity community have been working unilaterally to combat the growing menace. But there is a lot more to gain from collaborative efforts against the common enemy.

Industry giants such as Starbucks, Google, General Motors and Nintendo as well as smaller players like Coinbase and NextCloud among others are already collaborating with the hacker community. Through such efforts, they seek to supplement what their organizational security teams are doing.

Enhancing the security of new technology

Another approach that could address the widening skills gap has to do with the security of new technology. Instead of holding crisis meetings on how to get more youths interested in the profession, how about reducing security flaws from the onset?

If developers could put more effort into ascertaining that new technology is secure by default, there would not be any need for a debate to begin with. Though this might be one of the hardest changes to implement, it could also be one of the most effective. However, it would require regulatory intervention if it is to have any success.

A great example of a step in the right direction in this regard is the California Senate Bill no. 327. It requires manufacturers of connected devices to equip such devices with reasonable security features appropriate to their nature and function.

The future of cybersecurity

Having started in the ’80s, cybersecurity as an industry is still relatively young. At present, setting standards in education, job descriptions, and other areas are still a struggle. But as the landscape evolves, so will the sector.

With time, it should be better able to balance the supply and demand for skills. For now, a change of attitudes and collaborative measures can go a long way in containing the monster that is cybercrime.