Cybersecurity talent shortage: not the lack of people, but the lack of the right people
Discussing the cybersecurity talent shortage, why it is hard to find an entry-level job in the industry, and what we should be doing to advance the discipline
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Cybersecurity talent shortage: what we think it is and what we’re doing about it
Over the past year, the conversations about the cybersecurity talent shortage seem to have intensified. According to CyberSeek, there are over 660,000 open roles in cybersecurity in the US alone, and that’s on top of nearly 1,130,000 who are already employed in the industry. The estimated total demand for cybersecurity professionals suggests that nearly 1.8 million people or 1.1% of the US labor force could be working in our industry (for comparison, there are only 1 million doctors, 1.3 million lawyers, and 1.4 million accountants in the US). These are staggering numbers.
We aren’t just talking about the need to get more people into security; slowly but surely we are starting to take action. Cybersecurity bootcamps are popping up like mushrooms, promising to retrain anyone within a few weeks to a few months, in exchange for a small investment that could, according to their marketing departments, lead to a six-figure job at graduation. Colleges and universities are not staying behind: more and more institutions are launching educational programs in cybersecurity, compliance, and risk management, enabling those with a passion for security to earn diplomas, bachelor's, and increasingly more often - graduate degrees in security-related disciplines. Graduate departments of several universities have recently started to offer doctorate (PhD) programs in homeland security and cyberdefense. Online education providers are also growing the number of offered cybersecurity courses, and some players such as Cybrary built a fast-growing business around cybersecurity education.
On their part, professional associations have been expanding the number of entry-level cybersecurity certifications. In 2022, (ISC)², the world’s largest nonprofit association of certified cybersecurity professionals, launched the Certified in Cybersecurity℠ entry-level credential. Disaster Recovery Institute International (DRI) now offers the Associate Cyber Resilience Professional (ACRP) certification, while the International Institute of Business Analysis™ (IIBA®), an organization that brings together business analysts, provides a Certificate in Cybersecurity Analysis (IIBA®- CCA) designation. It’s worth noting that these are just some of the examples of the recent additions to the already long list of security certifications.
Meanwhile, the US government recently announced the National Cyber Workforce and Education Strategy (NCWES), “aimed at addressing both immediate and long-term cyber workforce needs”. It seems like we are doing a great job training the next generation of security practitioners, and very soon we should be on our way to closing the so-called talent gap.
Realities of getting an entry-level job in the industry
If one were to have a look at the multitude of educational programs, scholarships, certifications, and degree options, it surely looks like anyone who has a basic interest in cybersecurity, should be able to get started in the industry. A more thorough look at reality tells a different story.
Getting a job in cybersecurity is notoriously hard. There are tens and even hundreds of websites, mentorship programs, resource groups, and YouTube channels built around helping people break into and land their first job in cybersecurity. There is even a whole category of social media influencers who were able to amass impressive LinkedIn, Twitter, and now - TikTok following by targeting those trying to pivot their careers to security.
I spent a few hours trying to figure out how many job openings there are for entry-level security practitioners, and the results were quite disappointing. Very few companies are willing to take someone who already doesn’t have 3-5 years of experience in the industry. As someone explained in a Reddit thread, “...there are no entry-level positions. If there are entry-level positions, then there is someone willing to take on the risk of reducing their core team's capacity to mentor that individual and hope that they understand all the concepts to become a successful team member.”
At a certain point, I started to wonder: how is it possible that we have a shortage of nearly 700,000 security practitioners in the US alone, and so many institutions trying to close the gap and train a skilled workforce, yet so few companies are actually hiring for entry-level roles? I have been doing a lot of thinking about this problem and concluded that conversations about cybersecurity talent shortage lack critical reflection and therefore result in somewhat misguided suggestions. Before I go into the details, let me state a controversial take: I think that with a few exceptions, getting a job in cybersecurity requires people to have an understanding of the thing they are going to be securing:
Someone interested in doing product security should know how the product is built
Whoever wants to specialize in cloud security should have experience with cloud infrastructure
Someone looking to build a career securing IT infrastructure needs to know how IT is provisioned, configured, etc.
Unlike most fields, education in cybersecurity is there to build on the foundations people come with. One cannot secure what they don’t understand; learning best practices for application security without knowing how to read and/or write code isn’t going to be all that useful. There are certainly some areas of security that are easier to grasp with no prior experience than others, but either way people looking to break into the industry would need to first learn how the underlying technology works, then - how it can be exploited, and only then - how it can be secured.
Breaking into the security industry is hard, but the reason for that is not intentional “gatekeeping”; it’s the fact that there is an oversupply of talent on the entry-level side, and a shortage of talent on the senior side.
With this out of the way, let’s dive in.
Cybersecurity talent shortage is not just quantitative, it’s qualitative
Changing nature of IT infrastructure
Cybersecurity has been growing in importance, and for a good reason: the number of security incidents is up, insurance premiums are rising, and the threat and the order of magnitude of attacks, particularly from ransomware, are hard to overestimate. At the same time, the ever-growing complexity of customer’ environments, the rise of SaaS, cloud adoption, and remote work have made it much harder to effectively protect the organization’s data. Add the pressure from the regulators, the threat of lawsuits, and high levels of burnout of security practitioners to the mix, and it becomes clear that security teams would very much benefit from extra help.
The reason so many people trying to break into cybersecurity are struggling is the same reason why so many security teams are drowning in more work they can handle. The cybersecurity talent shortage is not just quantitative, it’s qualitative.
Over the past decade, IT infrastructure has evolved dramatically but while a lot of the hard components of IT have been abstracted away, they did disappear. How databases, data centers, and networks are being delivered changed and so are the ways they need to be secured. The rise of the cloud, for instance, created a conundrum: on one hand, few people today understand what are the components of a traditional data center, and how they all work together. On the other hand, the public cloud became so complex, that equally few have an understanding of how it should be configured securely.
Everything now operates on a large scale. Corporations have offices around the globe, work with tens of thousands of vendors, and buy software from thousands of tech companies. Employees are accessing company information from their homes, often logging in from their personal workstations. With the number of SaaS tools, no enterprise has full visibility into all applications that have access to their data. Moreover, as technology is now seen as a core differentiator for how the business is done, every company has become a tech company.
Why we may not need to train and hire 700,000 cybersecurity professionals
As we are faced with the need to manage systems, processes, and technical controls at scale, it becomes obvious that adding more people won’t make the security problems go away. Security needs organizations have today cannot be easily fulfilled by leveraging the skills, tools, systems, and processes we relied on before. We cannot hope that vendors will provide us with all the answers either: while security products play an important role, every tool a company buys needs to be configured, fine-tuned, and customized to fit the unique customer environment, and for that, we need security practitioners.
Faced with these challenges, we are seeing how more and more of the problems in cybersecurity are being solved by adopting an engineering approach to security operations. We are witnessing that a lot of the manual processes which used to require many hours of work from tier one security analysts, are being automated by security engineers, people who both understand security and can design and build their own solutions.
As security is becoming more and more similar to software engineering, it is apparent to me that the idea of needing to hire millions of security practitioners globally is based on the assumption that we will keep doing security the way it was done half a decade ago: by hiring tens of people to monitor, triage, and analyze the ever-growing stream of alerts produced by security tools. What is different today is that we have many more tools at our disposal - tools we didn’t have ten or even five years ago. Why don’t we staff security teams with detection engineers to tailor the detection logic to the organization, and thus reduce the number of false positives? Why don’t we get automation engineers to create playbooks and automate manual processes? Why don’t we get security engineers to assemble, and when needed, build a security stack fully tailored to the needs of the organization?
All this is especially true given that the recent advancements in AI and ML are making it easier for security practitioners to do their job. As time goes by, I am confident that AI will get better at writing threat detection rules thus making it easier to hunt for threats in customer environments and tailor detection logic. If two engineers and two incident responders can do the work of twenty analysts, we may very well be better off hiring the engineers and incident responders capable of building solutions to the organization’s problems. Instead of getting 700,000 people into security trained to use tools, we could get fewer people who are much more proficient and well-versed in the fundamentals, as well as highly effective in their roles.
Getting more engineers in cybersecurity
I have previously discussed why we need to look for ways to bring software engineers to do cybersecurity. “As everything in security is becoming as-code, one of the rarely discussed pipelines for cybersecurity talent could be software engineering. Some argue it may be easier to teach engineers security than to tech security professionals software engineering. While I am not the right person to make a judgment about the correctness of this statement, I have seen enough software engineers turn into security practitioners to know that that path is real.
The challenge lies in making it known that cybersecurity is a viable career path for software engineering graduates, providing them with the right training (adding deep-level cybersecurity courses to computer science programs), and designing meaningful career paths for them to find their way in cybersecurity. This raises a question of compensation for many entry-level cybersecurity jobs new graduates can command: if a person can get their first job in software that pays 20-40% higher than anything they are offered in security (if they can even get an interview), the whole idea of getting software engineers to do security falls apart.” - Source: The rise of security engineering and how it is changing the cybersecurity of tomorrow
A strong argument for hiring software engineers for security roles is that they can start adding value almost immediately. The reason why so few companies are open to hiring entry-level security practitioners is similar to why equally few companies are willing to take a chance on a junior product manager - the risks their decisions create, and the need to allocate time on onboarding. Both product management and security are high-impact jobs with very long feedback loops: it may take years before the company realizes that the product manager (or a security practitioner) made a wrong decision, and at that time, it will be too late. Hiring people without a strong track record in the field is risky, so companies are looking for ways to mitigate that. Another factor that comes into play is that it takes a long time and effort to train a new security practitioner; the team needs to be willing to deprioritize other initiatives knowing that they need to slow down and that the new person won’t add much (or any) value at the beginning. Although software engineers may lack security skills, they can start adding value almost immediately by helping the security team automate processes, develop integrations, or even build their own in-house tools to address unique needs of the organization.
Upskilling the existing cybersecurity workforce
The problems we have in security today cannot be solved solely by hiring more entry-level people or getting engineers to pivot their careers to security. While we do need to create a pathway for new talent to find their place in the industry, the number one goal for us as an industry should be to upskill those who are already working in cybersecurity.
One of the challenges is that although there are many people employed in the industry, not all of them have the skills to successfully protect their organizations. Security is complex, and to deal with that complexity, we need people who understand the fundamentals of security as a discipline, who possess an engineering mindset, who understand how technology works, and how it can be subverted into doing what it wasn’t designed to do. It is not enough to look at vendor-made dashboards and triage alerts with little to no context. When incidents are triggered, people will need to piece together a full picture of what is happening in the environment, how the attackers got in, and how to contain the breach and recover from it.
Cybersecurity vendors provide tools security practitioners can leverage to do the job, but tools alone aren’t going to save us. Neither will our focus on compliance: it is a great motivator for implementing basic security controls, but it’s not at all sufficient. Without mature security professionals who understand their environment, and possess the skills in deception, threat hunting, detection engineering, incident response, security engineering, and the like we can’t truly strengthen the organization’s security posture.
A part of the problem is that quality security education is expensive. One of the best practical training providers, SANS Institute, charges close to $10,000 per course, an amount that few security practitioners can pay out of their pocket. It would make sense for companies to allocate a solid budget for their employees to stay on top of the changes in the industry, but that doesn’t appear to be happening. I have been hearing that a solid number of businesses either never had, or recently cut their professional development spend.
Security professionals looking to stay on top of new developments and learn new skills may find training and villages at Black Hat and Defcon, as well as BSides, ACoD, Blue Team Con, and other practitioner-centric events highly relevant. Practical capture the flag (CTF) events are great too. And, it would be a miss if I didn’t give a shoutout to the Antisyphon Training which offers affordable (including pay-what-you-can) training, as well as Recon Infosec and their highly educational weekly Thursday Defensive Webcast.
Pushing security vendors to do better
Security vendors have an important role to play in solving the security talent shortage.
First, they need to make it possible to manage their tooling at scale. Very few products today are built in a way that allows updating configurations as code, syncing settings across hundreds of tenants, or integrating the tools with CI/CD pipelines. More and more products are built API-first, but even in that direction there is room to grow: vendors still gate their API access, or see their APIs fall behind compared to the capabilities available in their web applications.
Another way in which security vendors can help solve the security talent shortage is by making their tools accessible to practitioners who aren’t working in large enterprises. The need to qualify, meet the minimum spend, and other restrictions make it impossible for many in the industry to try different products. As I explained before, security practitioners are effectively denied the opportunity to learn to use tools they need for them to get a job, such as endpoint detection and response, identity management, asset management, security automation, orchestration, and others that have become ubiquitous across the industry. This creates a vicious catch-22: Unless you have experience using product X, you can't get hired, and you can't get experience with the tool unless you're already in the industry. As a vendor community, we can do better.
Closing thoughts
The cybersecurity talent shortage is real, even if the solution we need is much more nuanced than getting recent college graduates into cybersecurity. There is a lot that needs to be done, including embracing an engineering mindset and upskilling people currently employed in the industry so that they can tackle the ever-increasing complexity of the space. I haven’t even talked about the need to increase diversity and hire people from different walks of life.
Even though some surveys suggest that software development skills aren’t as important for security practitioners, I think that’s a mistake: how can we design effective security measures unless people doing the job have a solid understanding of how technology works at the fundamental level? How do we security everything-as-code if the people whose job it is to do security don’t understand the code? How do we secure AI workloads if security practitioners don’t understand how the models work? (we certainly can’t allow them to learn from social media influencers). We need people with experience managing IT infrastructure to secure IT, and people who know how to build products to secure software products.
Additionally, we need to automate security operations, and automation isn’t something one can buy - it is something one needs to do. Without solid skills in writing code, there will always be limits to what can be achieved with various no-code and low-code solutions. Moreover, choosing the best solution to a problem isn’t always going to be synonymous with choosing a software vendor: sometimes leveraging open source projects, or building tools in-house can make more sense, but for these options to even be considered, security teams need to possess the right skills.
As we are thinking about securing our future, let’s keep in mind that we are up against adversaries with different levels of skills, motivations, and experience. The so-called “script kiddies” akin to security teams that solely rely on tools, may very well be stopped by products implemented out of the box. However, experienced and highly motivated attackers can only be challenged by equally or more skilled defenders.
Great Post Ross
I feel that the mindset of security leaders need to change. As you wrote, it is hard to get hired as a rookie security person.
It relates to the lack of team structure and processes. If you design and run your teams with heroic behavior and divas you need super human mates. If you have well structured work, junior people will be able to do entry level tasks and more senior other tasks
Look at the manufacturing sector, they have apprenticeship, they have workers, technicians and engineers... not a cohort of people
I think security (and IT in general) is still at its infancy regarding team structure
You mention what I'll call "development driven tooling" above (configuration as code, api-first,...), which is definitely one of my pet peeves. To demonstrate: when I started my first job at Alcatel Lucent (years ago now, before devops), I became so frustrated from having to configure their routers over and over again, that I wrote a program to generate the network configuration for all routers in the system. (Had I known "infrastructure as code" was coming, I'd stayed a bit longer at that job... )
Suffice to say, I'm pretty "pro" development driven tooling. The problem is, not everybody has access to the right (dev) talent, so they'll resort to a "box that does the thing", because that's better than nothing and it'll scale the talent they have better. It reminds me of the build vs buy debate years ago: the software native companies mostly went the build way, the others bought.
I'm pessimistic about the upskilling & attracting more engineers sections. In my experience: only a subset of any population has an engineering mindset (needed to programmatically scale stuff, be it config or triage) and security is no exception. Also: trying to attract software engineers is difficult: only some have an interest and as a group they are also very much in demand.
All this to say that while I would love dev driven tooling and open access to tools (god yes please!), I think there's a big incentive for vendors to keep providing a closed box which does the "difficult stuff", which you can then operate using cheaper labor and processes. Code is not the only way to scale. I'm not against that, it's the way to reach the goal when you don't have as much access to dev resources. And it makes vendors and MSSP's are very happy ;-)