Cybersecurity Workforce Study Needs to be Taken with a Pinch of Salt

Published 25 - November - 2020
Source: Security Week
Read full article

Apprenticeships, on the job learning, backed up with support training packages are the way to go to tackle head on a shortage that is not going to go away…

Steve Durbin, Managing Director of the ISF

The global cybersecurity workforce has increased by 700,000 to 3.5 million (while the shortfall has decreased by 950,000 to 3.12 million), and companies have apparently transitioned to remote working securely. 

These are the big takeaways from the 2020 ISC2 Cybersecurity Workforce Study, which queried 3,790 people who spend at least 25% of their time concentrating on cybersecurity tasks. The first takeaway relates to the workforce. “Overall we’re seeing some very positive trends from the cybersecurity workforce reflected in this new data,” said Clar Rosso, CEO of ISC2. “The response to COVID-19 by the community and their ability to help securely migrate entire organizational systems to remote work, almost overnight, has been an unprecedented success [the second takeaway] and a best-case scenario in a lot of ways. Cybersecurity professionals rose to the challenge and solidified their value to their organizations.”

But while these figures are welcome, there are nevertheless caveats. The cybersecurity workforce is a huge and diverse market, and the in-demand skill set is constantly changing. We don’t know where the 700,000 additional staff are operating. Are they skilled data engineers able to triage the alerts from machine learning, or experts in cloud security brought in to help secure the new home-office hybrid environment — or are they less-skilled cyber administrators brought in to help manage and train remote workers?

Steve Durbin, managing director of the Information Security Forum, sees little option to in-house training. “Apprenticeships, on the job learning, backed up with support training packages are the way to go to tackle head on a shortage that is not going to go away,” he told SecurityWeek. He doesn’t know whether it will work, but adds, “Whether or not CISOs and their HR departments will value such earned skills remains to be seen but there is a practical element to be considered here: organizations can either adopt an attitude that says we will work with the rich skill sets that are available and provide the security components by online training, apprenticeships and practical skills transfer through mentoring schemes, or they can sit back and wait for the perfect candidate to come along some time, maybe never.”

The second takeaway from the ISC2 report is the speed and success with which organizations have adopted the work from home paradigm. Says ISC2, “The data shows that 30% of cybersecurity professionals faced a deadline of one day or less to transition their organizations’ staff to remote work and to secure their newly transformed IT environments. 92% of respondents indicated that their organization was ‘somewhat’ or ‘very’ prepared to respond, and just 18% saw security incidents increase during this time.” This is a remarkably upbeat view of the success of the transition. But the caveat is simple — it’s too soon to tell.