Cybersecurity Field Confronts Its Newest Crisis, A Projected 2 Million Worker Shortage

Getting hacked more than 20 years ago is the best thing that could have happened to me professionally. At the time, I was a recently graduated English major with a great passion for technology, which eventually led me to a network administration role at a small start-up. When a hacker broke into the network that I was managing, I made it my personal mission to learn how they did it, which propelled me into my current career in cybersecurity. That was back in 1994 – and I’ve never looked back.

Today, the threat landscape has grown vast and complicated. With millions of pieces of data stolen each year, the deluge of major security breaches affects everything from politics to business, to our personal lives and data. But who is in charge of protecting all that information?

In my role as an executive security advisor at IBM, I travel the globe to talk to security leaders at some of the world’s largest companies about the challenges they’re facing. Like IBM, these security teams are dealing with thousands of potential security events per day and defending against increasingly sophisticated criminal gangs of hackers. In light of these threats, one of the biggest cybersecurity challenges I consistently hear about might surprise you: finding enough people to do the job.

As attacks increase, so does the demand for skilled security professionals to defend against them. Unfortunately, one of the biggest challenges facing the industry involves a massive workforce shortage, projected to reach nearly 2 million unfilled cybersecurity positions within the next five years.

IBM is one of the many companies seeking to rapidly hire security talent for our business – in fact, we’ve hired 2,000 security experts in the past two years. But the supply is not meeting demand; many positions in the industry remain unfilled for months to years.

So why can’t we find enough people to fill these high-paying, in-demand roles? There are a number of contributing factors. One issue is that many of the best and brightest working in security today didn’t come into the field with a four-year, technical degree. Yet job descriptions – and hiring managers – continue to seek and define roles based on degrees, versus skills, experience and aptitudes.

With a 2 million person workforce shortage approaching, we can’t rely on people stumbling into this field serendipitously like I did – nor can we continue to focus on traditional recruitment methods, education models, and traditional hiring practices for IT roles. We need to think about cybersecurity hiring and skills development in new ways.

To start, many of the technical skills needed for certain security roles are learned on the job, or through other means of hands-on engagement — internships, apprenticeships, certification programs, or even skills that are self-taught or developed alongside peers.

Additionally, with security tools constantly changing – and hackers’ methods, as well – it’s often aptitude and ability to learn quickly rather than years-old education that make or break a security professional’s success.

Think of the role of a pen tester, for instance. These “ethical hackers” are paid to think like the bad guys, attacking corporate systems and servers in order to find the security holes before the cybercriminals. Natural curiosity and an investigative mindset, problem-solving, creativity and determination are often the factors that define success in this role. These skills can be learned and honed outside of a traditional classroom setting.

People also need to start thinking of cybersecurity as a business issue, rather than a technology problem. The variety of roles we need to fill is nearly endless, and the skills needed to fill these roles are broad as well.

At IBM, we believe many of the roles in today’s security workforce can be filled by what we call "new collar" employees. The focus in security hiring needs to shift – we need less emphasis on degrees earned and more on skills and aptitude. These skills will be used in the vast array of security roles which require specialized knowledge to perform, but not necessarily a four-year university education. In fact, nearly 20 percent of those we’ve hired into our security business in the U.S. since 2015 fall into this category.

Each organization will have a different approach to how they can build their own new collar security workforce, but some good starting points include things like:

• Supporting security programs at community colleges, vocational institutions, polytechnic schools and career centers
• Emphasizing certification programs and embedding them into education programs
• Developing local partnerships and exploring alternative hiring pools – such a veteran training programs
• Driving awareness of security careers to students at an early age – through workshops, clubs and competitions and more
• Establishing apprenticeships, residency programs and internships

By taking a new approach, organizations can increase the number of qualified candidates who can rapidly get to work and also benefit from a more varied talent base with new ideas, and candidates with deeper hands-on practical experience.

We need the best and brightest to join us in the fight. Looking outside of traditional boundaries and redefining how we find, hire and retain this talent is the start of making that goal a reality.

Diana Kelley is the Global Executive Security Advisor for IBM Security.