With each passing hack, the U.S. needs more cyber security professionals—and has fewer options on where find them.
Good help is increasingly hard to find. For proof, just watch the cyber security industry, where it may soon be impossible to fill all the jobs that need to be staffed. And though this isn’t a new problem for the space, it’s one that’s poised to get much worse in years to come.
For instance, three years ago Symantec “SYMC” CEO Michael Brown warned that the United States faced an impending shortage of cyber security professionals and predicted there’d be a shortfall by this year. This past June, he updated his forecast, suggesting that the demand for security professionals could reach six million people globally by 2019, with nearly 1.5 million new positions that would need to be filled.
These numbers are in-line with Cisco’s 2014 Annual Security Report, which warned that there are nearly one million openings worldwide for security pros. In March, data from Boston-based labor analytics firm Burning Glass released also reported that cyber security jobs grew 74 percent from 2007 to 2013—more than twice the growth rate of all IT jobs.
While that means there could be plenty of well-paying jobs out there, there’s also a labor pool that doesn’t have enough qualified individuals to fill them, let alone address needs in the coming years.
The demand is already apparent in salaries. According to research from Robert Half Technology “RHI” the average IT starting salary was expected to raise by 5.7 percent for 2015, while five-out-of-six security positions were expected to see larger-than-average bumps in starting pay this year.
Higher starting salaries may incentivize students towards cyber security jobs, but they won’t solve the longer-term problem. Instead, closing the cyber security gap requires more drastic measures, like ensuring there’s enough high-quality education available, and encouraging students to pursue cyber security courses and degrees.
This is something the National Security Agency (NSA), the Department of Homeland Security, and the National Science Foundation has worked on this for over a decade, says Steven LaFountain, dean of the College of Cyber at the NSA. “The Centers of Academic Excellence in Information Assurance/Cyber Defense and related programs have helped drive increases in capacity and quality of cyber security education at all college levels,” he says.
But college may be too late. While America’s youth have become rather tech savvy thanks to ever-present mobile phones, tablet devices and video games, K-12 students are behind other nations according to a Pew Research Center report. It seems that the use of these mobile devices are not instilling any skills.
“Substantial growth in the number of middle and high school students who study cyber security and then continue onto cyber security careers will require outreach and incentives from industry, government, and academic organizations,” says LaFountain.
Specifically, the U.S. needs to push STEM education while actively trying to generate more early interest in computer science in middle and high school students. STEM education may be crucial in addressing the future requirements, but not every cyber security job may require such a deep technical understanding of computer science. A basic understanding of STEM disciplines will still be required for jobs in policy, oversight and compliance—yet the majority of the higher paying jobs will still require various levels of technical depth.
In the meantime, the higher pay being used to attract today’s college students may be causing a problem with workers already in the industry. Chasing the ever-climbing pay, many security pros jump from job to job, a problem that leaves new gaps to fill in the positions they vacated.
“Many of these jobs require certain types of certification, and many of the positions require at least an associates or bachelors degree,” says Rodney Peterson, lead for the National Initiative for Cybersecurity Education at the National Institute for Standards and Technology. In addition, many security positions require experience in the three to five year range, he says, and 83 percent of the jobs actually require three or more years on the job. These barriers make it hard to keep up with the demand.
“Just count the number of news stories this year regarding security breaches,” says Professor Clifford Neuman, director of the USC Center for Computer Systems Security. Every time there’s a hack, a large number of well-trained cyber security staffers are needed to perform forensic analysis to determine what has been breached; to patch and repair the systems so that the vulnerability does not persist; and to deploy new security technologies to prevent similar break-ins from occurring, says Neuman. There are not enough experts to keep up.
Making this cycle worse is that it’s just in response to breaches—it doesn’t even cover the staffing needs for designing systems with improved security in mind. “All development needs to be performed by teams that have core members who have been trained in security,” Neuman says. “That rarely happens, in part because there is a shortage of trained individuals, and because they are so highly in-demand to respond to attacks.”
And so for now, the cyber security industry hopes and waits as education races to help the field catch up.
“Throughout the country, faculty are increasingly adding discussion of security into existing curricula from computer networking classes, operating systems, and software engineering,” says Neuman. “These changes need to continue…. The demand for these skills is increasing enrollments in these programs, but the demand will continue to grow as business computing increasingly moves toward the cloud.” In other words, when it comes to cyber security staffing, enough may not be enough.