Security hiring challenges have worsened over the last several years. Threats are more numerous and more sophisticated; security breaches are more publicized; and CEOs, CIOs and CISOs are being held accountable for damaging hacks. It's no surprise companies are working harder to find, hire and retain experienced security pros.
A turning point was the TJX breach in 2006, which led to data-breach disclosure legislation and increased scrutiny of corporate data-handling practices, says Larry Wilson, information security lead in the University of Massachusetts President's Office. From then on, demand for security pros "really started to accelerate."
Data from Boston-based labor analytics firm Burning Glass highlights the spike in demand: cybersecurity job postings grew 74% from 2007 to 2013, which is more than twice the growth rate of all IT jobs. The labor pool has yet to catch up. U.S. employers posted 50,000 jobs requesting CISSP credentials in 2013, a year in which the population of CISSP holders numbered 60,000, Burning Glass said in its 2014 report.
"The size and scope of the problem has grown dramatically as the threat has increased and as we've seen more high-profile breaches," says Charlie Benway, executive director of the Advanced Cyber Security Center (ACSC), a nonprofit consortium of industry, university, and government organizations. "Executive management and boards of directors are now recognizing that cybersecurity is not just a tech problem, it's a business problem. We're starting to see more executive-level emphasis on cybersecurity, more resources coming into cybersecurity, across all industry sectors. That has definitely increased the demand for cybersecurity folks."
"It's probably 10- to 12-times harder to find cybersecurity professionals than it is to find general IT professionals," says Rashesh Jethi, a director in the services group at Cisco which last year pegged the number of unfilled cybersecurity jobs around the world at 1 million.
Enterprises are definitely feeling the pain. Eighty-six percent of organizations polled by ISACA believe there's a shortage of skilled cybersecurity professionals. Not only that, most companies feel they're at risk. Just 38% of ISACA members believe their organization is prepared for a sophisticated cyberattack.
The lack of preparation stems, in part, from an overall shift in security strategies. The ubiquity of technology has driven enterprises away from a perimeter defense model and toward an approach that combines intrusion prevention with functions such as risk assessment, threat mitigation, and incident response, says Robert Stroud, international president of ISACA, a nonprofit association that advocates for information security, risk management and governance professionals.
"We can't protect against every threat, so what happens once we've discovered something, some unusual behavior? How do we react?" Stroud says. "Organizations are now attempting to add to the skills they need to cover this gap. When you've got everybody in the world realizing they need to do something and going to the market, it leads to a skills shortage, especially when we haven't been training people with these skill sets necessarily."
Sign up for CIO Asia eNewsletters.