There are nearly 3 million people working in cybersecurity worldwide, according to the 2019 (ISC)2 Cybersecurity Workforce study.
The problem with that is we need another 4 million people to fill current and future security jobs.
The UK has around 289,000 people whose job includes security responsibilities; EMEA as a whole needs about the same number of extra staff: 65% of organizations in the study say they don't have enough people working in security, and a third say the lack of skilled and experienced security staff is one of their biggest employment worries.
SEE: 10 tips for new cybersecurity pros (free PDF)
It's a truism that 'every company is a technology company', but according to LinkedIn 61% of developer jobs are in organisations outside the actual technology industry so there really are a lot of companies who probably count as technology companies whatever their business is – and every organization relies on technology to run their business.
That means every company needs security staff and is likely having trouble hiring them.
Part of the problem is how people get into cybersecurity. Only 42% of the security professionals in the survey started out working in the field. There are few university degrees in cybersecurity, and there isn't an A-level or GCSE in security. There are plenty of certifications (not least the CISSP program (ISC)2 runs) and almost half of the organizations in the survey are increasing their training budget for security - but cross-training existing staff isn't going to fill the whole gap. And to get people interested in gaining a certification, they have to know that it's a viable career in the first place.
"When you choose what you're going to do in your life, you probably make your choice when you choose your university and your course, and even the first year of university may be too late [to reach people]," says (ISC)2 board member Biljana Cerin. "I think we need to give high school students a bit more information about the field and the different aspects of it."
There are plenty of bootcamps and campaigns to encourage children (and adults who want to switch into a technology job) to go into coding; there are far fewer teaching IT administration or security. The US Air Force runs a 'cyber patriot' challenge for high schools that covers Windows, Linux and Cisco switches in an after-school club, but security doesn't have the same high profile as robotics or web development. (In fact, most schoolchildren probably get their first introduction to security when the school turns off the dinosaur game that's embedded in Chrome or blocks Gmail and they turn to hacking to try and get access.)
In the UK, the Institute of Engineering and Technology is heading a group, with a grant from the Department of Digital, Culture, Media and Sport, looking at how to professionalise the security industry and that needs to include getting it into the curriculum. "The industry has been shrouded in mystery: it's like a club that's difficult to get into," admits (ISC)2 MD Deshini Newman. "We have to make it more mainstream, more accessible and more transparent."
What do busy security pros do all day?
There are a lot of assumptions about who works in security and what they do that just aren't true any more. Security experts don't need to be hackers or developers, Cerin points out: there are a lot of different roles in security. "Are you managing policy compliance? Or are you managing a firewall and doing packet analysis? Those are very different skill sets, and they attract very different people. In security there is a little bit of something for everybody."
That breadth can be confusing. "There is so much out there and if you don't have a clear path forward it's a lot of spaghetti to untangle, if you don't have a lot of help and mentorship," (ISC)2 board chair Jennifer Minella told us.
The fact that most employees don't know what their security team does – apart from putting anti-virus software on their machine and maybe sending out fake phishing messages to test security awareness – is part of the problem. Security doesn't announce new projects or quarterly goals the way sales and marketing departments do. They're not in planning meetings or standups with developers. They sit in a different department and they don't get called it until a project is ready to ship – or something goes wrong.
Traditionally, security was the province of network admins and other sysadmins who secured the systems they were configuring. And early security professionals in the US often came from a military background, Minella points out; what they brought with them was a culture and an attitude that led to security being what (ISC)2 chief operating officer Wes Simpson describes as "the culture of no, not the culture of go".
But just as IT teams are having to work more closely with business teams (or be replaced by cloud services), security needs to go through the same shift and start trying new things, Simpson urges.
"Security does not want to hamper business operations; we want to enable, support and accelerate. How we do that is getting involved early on, in the analysis stage, discovering what the business requirements are and doing security assessments of the platforms and technologies business teams are looking at."
That might reveal vulnerabilities that businesses don't want to be exposed to, and it lets business leaders understand what the impact would be or what risk mitigations they need to put in place. "This is all solvable: it's communication, it's having security and IT partner with the business and have a seat at the table." And that means hiring someone with functional, operational and leadership skills.
"Brainstorming, communications, collaboration and teamwork: a few years back those weren't valued in cybersecurity. We just wanted the best and the brightest and the technology expert but now we need somebody who can talk and communicate and facilitate. What we're starting to see is that the typical CISO and security role is morphing from needing the traditional computer science background to a much more diverse non-technical background. Security leaders have to interpret data and tell a story that's going to be meaningful to the CFO, the CEO to the board of directors."
The people with those skills may not have a security background, or an infosec degree, so organizations need to think differently about how they hire and who they look for. As well as filling the open jobs, that could also help security teams adopt the kind of experimentation that's becoming so important for innovation in other parts of business.
That's a long way from the department of no – or even the department of "not like that" – and it's a much more interesting job. Start thinking about security like that and you might have a lot less trouble filling those security jobs.