Where Have All the Cybersecurity People Gone?

There is no shortage of job openings in cybersecurity and related fields—and that’s not good news for thousands of organizations around the U.S. At recent industry conferences—HCCA Compliance Institute, IAPP Global Privacy Summit, and PHI Protection Network Conference—I heard from executives in healthcare, education, and other fields about their continued struggle to find, attract, and retain well-qualified security professionals.

Cisco estimates that there are over 1 million unfilled cybersecurity jobs worldwide. Based on an analysis of figures from the Bureau of Labor Statistics, Peninsula Press found that in 2015 there were over 209,000 unfilled cybersecurity jobs in the U.S. alone.

All those job openings mean there are a lot of organizations—big and small, in just about every industry—that do not have the right or a sufficient number of cybersecurity professionals. Given the growing number and sophistication of cybersecurity attacks, that’s a big problem. And it is getting worse.

A March 2014 report by Burning Glass Technologies found that demand for cybersecurity professionals grew 74 percent from 2007 to 2013, over twice as fast as all IT jobs. And, according to Peninsula Press, demand for skilled cybersecurity professionals is expected to grow even more in the years to come—by 53 percent from 2015 through 2018.

Reasons for Rising Demand

It’s not hard to understand why the demand for cybersecurity professionals is growing. Customers, shareholders, and employees are increasingly aware of cybersecurity risks, and they expect organizations to be protected.

At the same time, new and ever-changing regulations make the field of cybersecurity more nuanced and challenging, further narrowing the pool of qualified candidates. Years ago, organizations expected their traditional IT professionals to take care of cybersecurity defenses, but the scope and complexity of the task has grown tremendously.

Today’s cyberattacks are increasingly sophisticated, perpetrated not only by individual hackers but also by nation-states and networks of highly paid professionals. The emergence of new forms of attack such as ransomware further underscores the evolving nature of the threat, and thus the growing demand for highly skilled professionals to defend against it.

Industry Challenges

When organizations move to hire chief information security officers (CISOs) and other privacy and security professionals, they often run into another problem: They’ve already been hired.

The best and brightest students and executives attract the biggest salaries from leading-edge companies such as Amazon, Google, and Facebook. Healthcare companies, government organizations, nonprofits, smaller businesses, and others struggle to keep up, given that they typically offer lower salaries, fewer benefits, and less glamour and prestige.

The challenge in healthcare is especially critical, given the sensitivity of the private data held at such institutions and the rising number of cyberattacks in the industry. Two of the five biggest breaches of 2015 occurred in the healthcare industry, and the average healthcare breach through the first half of 2015 was 200 percent larger than in the first half of 2014.

Next week, Ponemon Institute will come out with the Sixth Annual Study on Patient Privacy and Security of Healthcare Data, which will provide more insights and data regarding cybersecurity issues and trends in the healthcare industry. What’s already clear is that healthcare organizations are trying to add more cybersecurity professionals to combat the growing number of attacks.

According to Burning Glass Technologies, the number of cybersecurity job postings in healthcare grew by 73 percent from 2010 to 2013, to over 12,200 postings. And those jobs did not get filled quickly—it took 36 percent longer for organizations to fill cybersecurity postings in 2013, compared to all job postings.

An Oct. 24, 2015, article in Modern Healthcare further underscores the challenge of finding and retaining cybersecurity professionals in the healthcare industry. Michael Minear, the CIO at UC Davis Medical Center, indicated that he had built a strong and talented security staff—but two of his five security staff members were poached, presumably to accept higher-paying jobs.

Filling the Gaps

As highlighted in the recent Advisen report, Mitigating the Inevitable: How Organizations Manage Data Breach Exposures, only 45 percent of organizations believe they have adequate resources to detect all breaches.

Help is coming—soon, we hope—for organizations that want to hire in-house experts. Colleges and universities are adding science, technology, engineering, and math (STEM) courses and degrees to meet rising demand, not only in cybersecurity but across the IT landscape. Some schools, such as Utica College, offer convenient options like an online Bachelor of Science degree in cybersecurity.

Students do not have to major in cybersecurity to pursue careers as cybersecurity professionals. Degrees in subjects such as mathematics, computer engineering, and computer science lay the necessary foundation, although it’s worth noting that none of those subjects were in the top 10 of USA Today’s 2014 list of the most popular college majors in the U.S.

Certifications can also help existing privacy and security professionals get hired and promoted, and help organizations identify the well-qualified individuals they want to hire. There are challenges here too, however. Burning Glass Technologies reports that employers recently posted 50,000 jobs requesting Certified Information Systems Security Professional (CISSP) certification—from an available pool of only 60,000 CISSP holders.

Another option for organizations that are struggling to meet their current demands for cybersecurity professionals is to train existing IT personnel. Internal training can be effective if existing employees are not already overwhelmed with other responsibilities and if organizations have the time and resources to provide the necessary training.

Other organizations—including 51 percent of those surveyed for the Advisen report—are choosing to hire one or more outside vendors that have experienced cybersecurity professionals on staff to provide forensics, data breach protection services, pre-breach services, and more.

For now, there is no magic bullet for organizations that need more or better privacy and security professionals. It certainly helps, when possible, to pay competitive salaries and offer strong benefits. You can also provide more internal training to build up your cybersecurity workforce from within. And you can outsource to outside vendors that have the specific expertise you’re looking for—and the experienced and highly skilled employees you need.