Cybersecurity talent: Worse than a skills shortage, it’s a critical gap

The U.S. House of Representatives next week is expected to consider important measures aimed at bulking up American cyber defenses in the wake of numerous and relentless attacks. Leaders from government and the private sector continue to reinforce that cybersecurity is everyone’s business. The problem, however, is that we don’t have the workforce needed to address the challenges before us.

ISACA recently teamed up with RSA Conference to conduct a study entitled “The State of Cybersecurity: Implications for 2015,” which gives detailed insights into this challenge. We surveyed 649 global cybersecurity and IT managers and practitioners to obtain their insights into the depth of the challenge we face, the potential pitfalls and where we need to set our focus.

The results reinforce an increasingly familiar problem: 77 percent of respondents said they experienced an increase in attacks in 2014. And 82 percent of organizations expect to be attacked in 2015. Even more alarming is that less than half of those surveyed believe that their current security teams have the ability to detect and respond to complex incidents. There are simply an insufficient number of qualified, skilled professionals available to do what’s needed to protect organizations and consumers.

While February’s White House Summit at Stanford and the current movement in Congress are steps in the right direction, increased awareness of the talent issue is now urgently needed. We are not just facing a shortage of cybersecurity professionals; it is a gaping skills gap. Just over half of those surveyed, or 52 percent, said that less than a quarter of applicants for cybersecurity positions have the necessary skills for the open position. As a result, 53 percent said it can take three to six months to find a qualified candidate. This means three to six months where a short-staffed security team is trying to fend off cybercriminals while safeguarding intellectual property, sensitive customer data or even critical infrastructure.

And when we factor in a rapidly growing connectivity of devices—from cars and medical devices to utilities—cybersecurity is now a matter public safety. Unfortunately, conventional approaches to cybersecurity training and certification are not keeping pace with the reality of today’s fast-changing and complex technology landscape. Traditional approaches to security training need immediate reexamination, and we must quickly and aggressively boost efforts to educate a new generation of cybersecurity experts.

Near-term, business, government and the nonprofit community should work together to retrain existing experts in IT who display an interest in transitioning their careers. Longer-term, the same constituency should collaborate with the university community to more tightly integrate digital security into the curriculum.

CIOs and CISOs today know that that being attacked is a matter of if, but when. With the frequency of attacks growing exponentially, businesses need to be confident that candidates have the right skills and knowledge to address cybersecurity incidents from their first day on the job. At the same time, cybersecurity professionals need hands-on training to keep their skills sharp as adversaries develop new technical and creative tactics for attack. The time is now to reshape cybersecurity training and ongoing professional development. To ensure that the organizations creating economic advantage or protecting citizens’ private data have access to a properly trained and credentialed talent pool, leaders in the private and public sector must invest in and insist on a properly trained cybersecurity workforce – and fast. It’s the only way to give ourselves a fighting chance.

Loeb is chief executive officer of ISACA, a global IT association serving 115,000 cybersecurity, risk and audit professionals.