It is no secret there is a worldwide cybersecurity skills shortage. In fact, this shortage is often described as a “crisis”.
But the response to this crisis is always to deal with the supply side of the issue. Nobody is thinking about approaching the problem from the demand side. For example, the Australian government recently held a Jobs and Skills Summit and all the solutions are from the supply side, of which training and immigration are the most often mentioned ones.
Demand Side Dysfunction
In cybersecurity (and in the wider tech industry), the demand side of the problem is especially acute. This 2019 report mentioned that cybersecurity graduates, despite having skills in high demand, faced difficulties in finding employment:
However, it will take time before this pipeline of graduates is ready to enter the workforce, and even then, they may face obstacles because of outdated hiring practices.
In that report:
In addition, there are signs that employers’ hiring practices may be exacerbating the lack of skilled workers. For instance, two-thirds of information and cyber security professionals surveyed by the Australian Information Security Association in 2016 cited management’s failure to understand skills requirements as a key driver of the current cyber skills shortage, while just over half said employers were reluctant to recruit and train entry-level candidates for cyber security roles.
A CISO representative explained,
“HR writes position descriptions based on things that they know how to assess, like qualifications and experience. The new cyber security workforce doesn’t yet have these qualifications or experience.”
This report is consistent with what I wrote about the utter mindlessness of how recruitment processes actually work:
That is why the job market is so brutal. The hiring process is done this way because it is convenient and cheap, not because it produces the best outcome for both the company and the candidate.
As I explained further, the outcome of such widespread dysfunctional hiring practice is this:
… companies are only looking for those with the exact configuration of previous experiences to fill vacancies. This implies that companies are hiring people who are trained and experienced at others’ expense. There is widespread reluctance to invest in the skills, training and development of both existing and new staff.
This hiring culture betrays an underlying selfish motivation. If companies invest in developing their staff, then when these staffs are poached by others, then they are, in effect, subsidising the training and development of staff for other companies. Therefore, companies are adopting the attitude of NOT training their staff. Why invest in training and developing their staffs’ skills, only for them to be poached by other companies, who will then enjoy the fruits of their investment? Therefore, companies would rather be the ones poaching other companies’ staff.
Unfortunately, this widespread practice results in a chronic under-investment in skills, training and development in the economy.
In the context of cybersecurity, the outcome is that the skills shortage crisis is being exacerbated by cheap, convenient and expedient hiring practices that are worse than ineffective, they make the skills shortage problem even more acute. Such hiring practices are counter-productive to solving the skills shortage crisis.
In fact, there are some signs that hiring practices have degenerated into a farce. These are a couple I saw on LinkedIn:
Personally, regarding the Carbon programming post immediately above, I was approached by a cybersecurity recruitment agent who confessed she had no idea what the job requirement meant.
To make matters worse, businesses and governments automate their dysfunctional hiring process with mindless software algorithms. As this Wall Street Journal article reported,
Companies Need More Workers. Why Do They Reject Millions of Résumés?
Automated-hiring systems are excluding many people from job discussions at a time when additional employees are desperately needed.
And so, this leads to the magnification and scaling up of farcical hiring processes.
Is cybersecurity skills shortage a myth?
The dysfunction in the demand side of the skills shortage is so bad that there are now push-backs from the grassroots levels. There is now a registered non-profit organization, Cybersecurity Gatebreakers, that is formed to deal with this problem:
The cybersecurity skills gap is a myth.
There are tens of thousands of bright, passionate, and high-potential people around the world, hoping desperately to break into cybersecurity. But there is no room for them; most “entry-level” job openings require years of experience, formal technical education, and a litany of professional certifications.
But why is this?
Certainly, there is entry-level work in cybersecurity. You don’t NEED five years of experience, a college degree, or a CISSP to do many of the basic tasks found in cybersecurity. This is true across almost every domain, subdomain, and specialty within cybersecurity.
Demand for Cybersecurity Skills Don’t Match Reality
As I mentioned before in this article,
In this Information Age, changes are happening at an accelerating rate. There will always be new processes, new technology, new software, new hardware and new information coming in.
The work that you do will always be changing. Your experience will grow along with your work, even in the absence of training and development by your employer.
But there is one problem.
The specific configuration of experiences you gain will be unique to your company only. Since no two companies are identical, no two people with the same job title in different companies will have an identical configuration of experiences. In other words, you, along with many others, have become a unicorn.
This is especially true for technology workers.
Let me quantify the level of uniqueness of modern technology workers. In cybersecurity alone, there are 3,500 different specializations. Let’s say in a typical cybersecurity job, employers are looking for experience in five different specializations. How does an employer or employee realistically narrow it down?
Unless something is done on the demand side to consolidate the number of specializations to a realistically manageable number, cybersecurity skills shortage will continue to be a global issue.
Why are cybersecurity professionals resigning and leaving the industry?
In the cybersecurity industry, there are serious difficulties in getting enough skilled workers. This problem is going to get worse because a large proportion of those skilled workers intend to resign. As this ZDNet article reported,
Cybersecurity leaders are anticipating mass resignations within the year – here’s why…
The growing threat of attacks combined with industry skill gaps is leading to sky-high burnout rates among cybersecurity professionals.
As cybersecurity professionals resign, they will pass on their existing workloads to their colleagues who are left behind. This increases the burden on those colleagues, who will then accelerate their burnout rate. That in turn will induce them to resign too, which in turn will pass on the burden to fewer and fewer cybersecurity professionals.
Why are cybersecurity professionals burning out? The reason is overwork. Why are they overworked? The main reason is the nature of the problem that the cybersecurity industry is trying to solve. As I wrote in What do cybersecurity and the Great Wall of China have in common?
Cybersecurity has a similar problem to the Great Wall of China. The nature of the problem favors the attackers disproportionately much more than the defenders…
As we all know, there is a severe shortage of cybersecurity professionals. The defenders of the Great Wall of China needed to dwarf the number of attackers to be effective. The Ming dynasty had to deploy a colossal army of 1 million to do that job. But in cybersecurity, we are nowhere near the relative number of professionals required to defend against attackers.
The cybersecurity industry death spiral
You would expect that this will increase the urgency to hire new entrants into the cybersecurity profession, right? Unfortunately, the existence of the Cybersecurity Gatebreakers foundation shows that the cybersecurity gatekeepers are not budging.
In cybersecurity, we are fighting like the Japanese and losing, we are repeating the same mistake that the Japanese made during World War II. And we know that the Japanese lost the war. In the same war, our cybersecurity industry is going to lose to its adversaries- cybercriminals and hostile nation-states.
In other words, the cybersecurity industry is in a death spiral.
That’s where more cyber security “dead bodies” are going to pile up faster.
Remember those “tens of thousands of bright, passionate, and high-potential people around the world” mentioned by the Cybersecurity Gatebreakers foundation?
These people, although being rejected by the cybersecurity job market, have the skills to be hackers and cybercriminals. In fact, I saw this meme in this Reddit forum:
By not resolving the demand side of the problem, the frustration of these talented and passionate individuals can only grow. The temptation to go over to the dark side can only increase. After all, cybercrime is a good “business”. Even if these individuals do not want to commit cybercrimes directly, cybercrime is now an ‘industry’ of its own, with various levels of division of labor and specialization. These individuals will be tempted to provide grey ancillary services to whoever is the highest bidder, who may be the real cybercriminals and hostile nation-states.
This means that as the cybersecurity industry falls into a death spiral, the cybercrime ‘industry’ will experience corresponding growth. This can only mean one thing: there will be more victims of cybercrime and hacking. In the end, all of us will eventually pay a price for not resolving this problem.