author photo
By Bruce Sussman
Wed | Feb 13, 2019 | 7:05 AM PST

What are the impacts of the cybersecurity talent shortage in 2019?

How does the security talent gap affect organizations and InfoSec professionals?

We interviewed Dr. Larry Ponemon of the Ponemon Institute after his keynote at a SecureWorld cybersecurity conference. His research has led him to some unique insights on a few of the ways the cyber skills shortage is creating uncertainty for organizations and professionals.

Big ways cyber talent gap impacts organizations, employees

1. It has created a lack of security depth in many organizations.

Says Ponemon: "I think what I found most surprising and consistent is the importance of having a competent staff, having the right bench strength for your security function. And in general, our respondents said it's not that the people working in your organization are not competent, they’re very competent, but the organization does not have enough bench strength. For example, you have people in artificial intelligence or machine learning and they need to be part of the security bench. And people responsible for [tracking] corporate espionage or sabotage, they need to be part of the bench. Right now in many cases, the bench doesn’t exist because there are too many vacancies."

2. Cybersecurity salaries are going up but also vary greatly.

"Compare cybersecurity to something like accounting," says Ponemon. "Accounting is established, there is a familiar career path and compensation structure that’s fairly similar between most firms. But cybersecurity, for lack of a better term, is kind of a hodgepodge of people and different backgrounds they bring to the table. There are geographic differences based on cost of living, certainly. But what is the reasonable baseline here? That has not really been decided. And this situation is exacerbated by the huge number of vacancies in security."

3. Organizations and CISOs are often left guessing during the hiring process.

"Companies that are looking to establish or expand cybersecurity teams need to know what the going salary is to attract and retain people. And the reverse is also true; they don’t want to find themselves in a situation where they’ve been overpaying someone for their skill set. Right now, it's difficult to be certain.

And what we do know is that attackers are getting better funding, many are nation state-backed, so if you don’t get the right people to secure the organization, the consequences to many companies could be severe, even to the point of bankruptcy.”

How big is the cybersecurity skills gap?

There are almost as many cyber skills shortage forecasts on the web as there are actual openings.

However, we really like the following breakdown from (ISC)2:cybersecurity-talent-shortage-by-regionCybersecurity workforce study, job openings by region

  • North America: nearly 500,000 open cybersecurity jobs
  • Europe, the middle east, and Africa: more than 140,000 open roles
  • Asia Pacific: more than 2,000,000 unfilled cybersecurity jobs
  • Latin America: a cybersecurity talent gap of more than 130,000

And here's one last thought from Dr. Ponemon, who will be the keynote speaker at SecureWorld Toronto on April 24, 2019.

"The talent shortage is clearly a big problem that is getting worse, and unless an organization can bring the right people on and provide them with a career path, it’s not going to get better for that company."

[RELATED: Guide to Computer Science for Women]

Comments