After years of assigning the task of protecting the digital integrity of their organizations to an already overloaded IT department or simply ignoring the issue, executives and directors of enterprises of all sizes appear on the verge of adding cybersecurity specialists to the upper levels of their organizational charts. These same executives, experts warn, are now likely to discover a shortage – some say severe – of qualified applicants to fill those fresh job openings.
A recent report published by the Pell Center for International Relations and Public Policy asserts that “there is a shortage of highly trained cybersecurity professionals who are capable of addressing the threat at hand.” According to the report, which calls for the creation of a national professional association in cybersecurity, an analog to the American Medical Association (AMA) or the American Bar Association (ABA), the shortage portends severe consequences:
“The dearth of advanced cybersecurity professionals can be felt across all sectors, from the federal government to the private sector, with potential negative consequences for national security, economic vitality, as well as public health and safety.”
Another source, the RAND Corporation, says the cybersecurity work shortage poses particular threats to US Homeland security.
But the scarcity of skilled digital security professionals is not exclusive to North America, according to this Bloomberg report from June of this year.
Authors of the Pell Center paper argue that a deeper issue than the labor shortage is an absence of clearly regimented training and development programs designed to produce cybersecurity professionals with the skills to counter the increasingly sophisticated actions of cyber criminals, who are often backed by heavily funded criminal or state-sponsored organizations. It characterizes the current cybersecurity labor market as a “fog of competing requirements, disjointed development programs, conflicting definitions of security roles and functions, and highly fragmented, competing, and often confusing professional certifications.”
Just as the creation of the AMA accelerated the advancement of the medical profession, establishing standards around training, education and apprenticeship requirements, professionalizing cybersecurity will ensure that trained and qualified professionals are manning the front lines of digital security, proposes the report.
Not everyone agrees with the Pell Center report findings, though. A separate study conducted in September 2013 concluded that the duties and responsibilities of cybersecurity professionals were changing so rapidly that the too-soon formation of professional associations would negatively impact the ability of businesses to protect their data:
“Premature or blanket professionalization strategies will likely hinder efforts to build a national cybersecurity workforce of sufficient quality, size, and flexibility to meet the needs of this dynamic environment.”
Conflicting viewpoints on the impact of professional associations on the development of a large and sufficiently skilled work force creates a sort of cybersecurity Catch-22, which is likely to hinder the hiring aspirations of business leaders.
Data Protection Officer
Across the Atlantic, a different approach to filling gaps in cybersecurity and regulatory compliance is taking place.
A recent NetworkWorld article cites a proposed requirement in pending European Union data-privacy regulations for a mandatory Data Protection Officer (DPO). The cybersecurity position would be required of all organizations providing goods and services to European citizens, regardless of the company’s size or its location. A DPO would be a requirement, for example, of a small US company doing business with Europeans, according to the article.
The proposal appears to be part of an escalation of efforts by the EU, which already has a reputation as a consumer-friendly regulatory body, to better protect citizens from invasions of digital privacy. Despite the fact that the DPO requirement may help businesses shore up cybersecurity, experts say the regulation may not sit well with organization doing business in Europe. In addition to the position being mandated and monitored by the government, businesses are likely to have a difficult time finding qualified candidates, say experts.
They would not be alone. A survey of job postings and classified ads conducted by The Abell Foundation & CyberPoint International LLC during a single week in October 2012 uncovered 340,000 cybersecurity-related job openings – just in the US.
While the Pell Center study attributes the lack of professional associations and insufficient training and educational funding as major contributors to the glut of cybersecurity job vacancies, high levels of stress and job instability may also be responsible for dissuading engineers and computer science majors from pursuing the vocation.
The title of this October 2013 online article, 9 Reasons Why Your Security Leader Needs a Hug, tells you everything you need to know about cybersecurity job stress. Had the article been penned following revelations of high-profile security breaches at major retailers and subsequent job dismissals, the author would likely have had little difficulties in coming up with a tenth reason.