Developing Cybersecurity Talent

Two colleagues from two different organizations recently shared ‘tales of woe’ from their failed cyber security talent searches. We have all read articles in the last year or two that have been predicting a shortage of skilled cyber security talent.  Are we really beginning to experience that predicted shortage so soon? According to Indeed Spotlight: The Global Cybersecurity Skills Gap, in Canada “job seeker interest meets 68.1 percent of employer demand”.  Of particular concern is the fact that between 2014 and 2016, the gap has grown by 12%.  The ICTC1 report Labour Market Outlook 2017-2021  highlights an acute digital talent demand of around 216,000 “people” by 2021. Assuming that Information Security represents 5-10% of that predicted need, we can estimate that 10,800 to 21,600 cyber security professionals will be needed over the next four years.

Canada has a current contingent of 4,899 individuals who hold the coveted ISC2 CISSP designation, the number of ISACA CISM’s for all of North America is 10,730, and Canadian GIAC GSEC Certification holders are similar in number. LinkedIn group membership for Canadian Information Security Professionals has 3,879 members, the InfoSec Management Professionals group 2,876, and the Canadian Security Partners forum 6,976. With those figures in mind, a reasonable estimate puts the number of people currently working directly in information or cyber security in Canada somewhere between 5,000 to 10,000 people working directly in.  Can we really expect to double or triple the number of competent practitioners over the next four years?

There are of course academic programs that will contribute candidates.  The University of Winnipeg, Athabasca U, Concordia, and the University of Ontario Institute of Technology all offer Master’s level cyber security programs and many Universities and Colleges have introduced courses at the undergraduate level into their computing science programs, but will you really put a freshly minted graduate into a senior security role?  Probably not.  We all want our analysts to have 3-5 years of experience on top of some accreditation; expectations for managers and CISOs are even higher.  That is where the real problem begins.  If we don’t have junior analysts building hands on experience now, how can we expect to have enough senior analysts, managers and CISOs to fill positions over the next four years, especially when you consider the predicted rapid departure of baby boomers over that period?

One possible solution is to start with experienced internal candidates, building the information security skill set in the staff you already have.  Looking at the current rate of change in IT, it is clear that there are many roles that will be dramatically different five years from now.  The introduction of cloud services, increasing use of mobile devices, and more automated and self-healing services could actually free up existing talent, leaving them available to join your security team.  These people have developed good customer service skills and work habits, and have a broad range of existing IT knowledge and skill that they can leverage to quickly move into a cybersecurity role.  First, and most importantly, they will need a desire to work in cybersecurity. Most of them will not want to go back to school full time, but many will be able to attain appropriate certifications through professional bodies such as ISC2, ISACA and SANS. They will also need mentoring and, of course, ongoing training and development.  Overall, a proven IT performer is a solid investment.  So, look around your department; talk to people about the opportunities.  When you have primed them, ask if they are interested in working in the field, then help them get started.  The clock is ticking.

1ICTC: Information and Communications Technology Council