You’re most probably aware of the unbalanced equation between demand and supply in cybersecurity workforce, a fact all the more dire when you consider the myriad hazardous threats facing organizations of all sizes. Since today is Antimalware Day, a day when we recognize the work of security professionals, we think it apt to look at some data relative to the talent crunch and, more broadly, to the work of security pros. Chances are that, in so doing, we’ll help you determine if you too might want to pursue a career in this field of endeavor.
By the numbers
The 2019 Cybersecurity Workforce Study by the security certifications organization (ISC)2, the global shortage of cybersecurity professionals topped 4 million last year, having risen from 2.9 million in 2018 and from 1.8 million in 2017. In the United States alone, the gap last year was nearly 500,000. To meet the global demand, the number of skilled security workers would need to grow by 145%.
It’s worth noting that some continents are faring better than others. Per last year's study by (ISC)2, the APAC makes up the largest proportion of the workforce gap (64 percent), followed by LATAM (15 percent), North America (14 percent) and Europe (7 percent).
Among other notable findings, two in every three organizations said that they have a shortage of security practitioners, and the respondents singled out this shortage as their key concern. It’s hardly a surprise then that one-half of them admitted that their organization is “at moderate or extreme risk due to cybersecurity staff shortage”.
This year, the COVID-19 pandemic raised the stakes further, including by pushing the digital transformation into overdrive and making work from home the new normal. Attacks have continued to increase in number and severity, the strain on current cybersecurity workers has increased, and the demand for security solutions and services has been on the way up. Against this backdrop, the workforce shortfall isn’t going to shrink. Rather the contrary, the demand will continue to outpace the supply.
Is a cybersecurity degree (or certification) worth it?
One question that often pops up is whether you can get a job in security without a college degree in this or a related field. We touched on the issue last year, where several ESET security researchers share their own experience and views. Per (ISC)2, security professionals typically do have a bachelor’s degree or higher, and a large portion of them majored in computer or information sciences.
On the other hand, 12 percent got into computer security with “only” a high-school diploma. This is hardly a surprise, though: while more and more academic institutions worldwide offer degree programs in computer security, there are still many that have yet to launch such programs. As a result, many experts in the field are self-taught and/or prepared for their careers via non-academic courses and certifications.
RELATED READING: A beginner’s guide to starting in InfoSec
Indeed, holding a cybersecurity certification is becoming increasingly useful, and security pros have an average of four such “badges” that prove their knowledge, skills and abilities. It’s also why they command higher salaries (US$71,000 on average per year) than fellow security practitioners with no such badges (US$55,000). The gap is even more pronounced in the US and Asia-Pacific.
Having said that, another (ISC)2 survey among security professionals found that competitive salaries weren’t the main factor informing their choice of a career path. Several other attributes – especially working in an environment “where their opinions are taken seriously” and where they can “protect people and their data” – turned out to matter even more. In the new study, 84 percent of the respondents said that they are where they expected to be in their careers. Given their high job satisfaction levels, things indeed seem to work well for security practitioners.
The worth of bug bounties
Bug bounty programs, where ethical hackers receive financial rewards for reporting security vulnerabilities in organizations’ computer systems, have been an important way of increasing the interest in security, especially among young people. According to the 2020 Hacker Report by bug bounty platform provider HackerOne, as many as 850 white hats are joining the ranks of the 600,000-strong community every day.
It’s safe to say that these programs are also useful when it comes to deterring cybercrime and getting people, especially teens, to cross “from the dark side into the light”. Driven by prospects of receiving praise and recognition from their peers, many people become cybercriminals at a very young age, without fully realizing the consequences of their actions.
While bug bounty or similar programs are by no means the solution for the growing talent crunch, organizations can certainly benefit from help by ethical hackers. Indeed, tapping into this pool of talent can help organizations alleviate the skills shortage.
The door wide open
In closing, here’s perhaps one more data point to consider. The survey by (ISC)2 found that only 42% of the respondents’ first jobs after education were in security. In other words, this field of endeavor is widely open to people who are looking to reinvent themselves as security professionals.
Happy Antimalware Day!