Companies can pay all they want and still not find enough people
In the short term, the supply side of the manpower equation will not be responsive to higher salaries because there simply aren't enough professionals to go around. Since training and educating a new generation of cybersecurity workers can take years, organizations that need security skills will be hard pressed to find them.
On a positive note, the higher compensation packages offered to security professionals could begin to attract would-be hires from other areas such as engineering.
Organizations should look at alternate approaches
Companies and government entities should consider adopting more secure system architectures and best practices to reduce their dependence on manpower. Organizations spend close to $70 billion on cybersecurity annually around the world, Libicki said. If even a 10th that amount was invested in making software more secure, there would be less of need for so many cybersecurity professionals.
"We have a model that basically says 'I accept the world of software as is and I am going to patch everything at a systemic level,'" he said. It is an approach that is basically unsustainable in the long term. A company that has 600 security professionals today might require 1,000 in a few years — and still not be secure.
Importing talent may not be a good approach
A great deal of cybersecurity work is already internationalized, RAND said. For another, bringing in workers from other countries could depress wages and discourage U.S.-born professionals from entering the field. This could become a problem because foreign-born nationals will not have the security clearances required to work for many government organizations.
Sign up for CIO Asia eNewsletters.