A close look at the talent shortage problem in information security
by Evan Francen
We have a severe shortage of information security talent. This problem is well documented and well publicized, although some people are unaware of the severity of the issue. According to the Global Information Security Workforce Study, the projected shortage will be 1.8 million empty seats by the year 2022. The 2017 Cybersecurity Jobs Report paints a bleaker future with 3.5 million cybersecurity job openings by 2021. As an industry, we’re in a pickle.
To simplify the issue, think of this problem like a water trough on a farm. The trough is our talent capacity, and the water represents available talent. We’re not filling the trough with water as fast as the cattle (companies) are drinking it, so the trough is dry and the cattle are thirsty. This is our supply problem.
The simple fix is to turn on more water, or open the spigot. The spigot represents training in our analogy. We need to push more water through the spigot to fill the trough, or at the very least, keep our cattle from dying of thirst. Push more people through training, and there’s more talent available for companies to satisfy their security thirst. Voila! More water means happier and healthier cattle.
Unfortunately, it’s not quite that simple. When we turn the spigot wide open, there’s still not enough water coming through. The problem isn’t the spigot, there’s something in the way. That “something” is money, and it’s preventing people from getting the requisite training to enter our market.
Cost of training is constricting our supply
There is no shortage of training options for people who want to start information security careers. We have a talent shortage problem, not a training shortage problem.
Let’s assume that someone is interested in becoming an information security analyst. The advice might be to get a degree or maybe a certification. The number of information security, or commonly called “cyber security,” degree programs has exploded in recent years, and for good reason. Cyber security degree programs generate millions of dollars in tuitions and fees for colleges and universities.
A bachelor’s degree in cyber security will cost somewhere between $20,000 – $60,000, or more (Source: https://www.onlineu.org/most-affordable-colleges/cyber-security-degrees). This might get you an entry-level job. Obviously, a master’s degree will cost much more. Most of us don’t have $20,000 or more laying around, so students need to be funded through their employer, student loans, scholarships, or some other means. This is a significant financial investment for most people, and it is a hurdle that must be overcome.
Another non-exclusive option is certification. Certification isn’t cheap either. The most popular certification in our industry is the Certified Information Systems Security Professional (CISSP®), assuming you have the required five years of practical experience. Without the experience, you become an “Associate of (ISC)2”. Training to pass the CISSP exam can range from $3,000 – $5,000, or more, and the exam itself will set you back another $699.
The importance of degrees and paid CISSP training programs should not be minimized; they are excellent options if you have the means to pay for them. The costs associated with these options, however, is a barrier for some people. If we want the best possible chance of solving the talent shortage problem, we’ll need to remove as many barriers as possible. How can we still provide the necessary training to enable success on the job without cost becoming a barrier? The only answer is: We’ll need to give it away.
A viable option to help solve our talent shortage issue is to provide information security training free of charge. If we are to take this shortage seriously, we need to get serious about giving the next generation the means to help solve the issue.
There are a few free training resources currently available, and the numbers are growing; however, we are not close to keeping up with the current demand:
- FRSecure’s CISSP® Mentor Program (https://frsecure.com/cissp-mentor-program/): The program was established in 2010 to provide free information security training to those interested in taking the CISSP exam. The program is free; there is no obligation, no prerequisite, and it’s offered both onsite and online. Next class starts April 10, 2018.
- SANS Cyber Aces Online (http://www.cyberaces.org/courses/): The global leader in cyber security training, SANS offers courses as open courseware to help grow the information security talent pool.
- Cybrary (https://www.cybrary.it/catalog/): An excellent resource offering a full open source library of quality information security training content.
- Cyber Degrees (https://www.cyberdegrees.org/): Free MOOCS (Massive Open Online Courses) pertaining to cyber security that are offered by universities and freely available to anyone interested in cyber security.
The cattle are thirsty. If we can just clear the spigot, we can expect the water to flow.
About the Author: Evan Francen, founder and CEO of FRSecure (www.frsecure.com), is a passionate information security expert who serves businesses of all sizes, in all industries by cooperatively solving the complex issues surrounding information security. He is considered by many to be an “information security evangelist”. Prior to establishing FRSecure, Evan spent more than 15 years as a leading information security professional and corporate leader in both private and public companies. He is well-versed in governmental and industry-specific regulations, standards and guidelines including ISO/IEC 27002 (17799:2005), HIPAA, GLBA, PCI-DSS, FDA CFR Part 11, SOX and COBIT, but also understands the intricacies in aligning compliance with business objectives. Prior to establishing FRSecure, Evan established the formal information security programs for four publicly traded companies: Corel Corporation (CREL), Mattersight Corporation (MATR), MGI Pharma(MOGN) and Eisai Ltd (TSE).