The Great IT Security Jobs Crisis

The threat of cybercrime and cyber terrorism that faces the world today is amongst the most serious and pressing of issues. Breaches and attacks upon IT security infrastructure threaten nearly every aspect of our way of life from the functioning of democracies and businesses to the ability for individuals to protect their private data. In our digital age, IT security experts, technology and systems are our frontline against a dangerous and unpredictable world. Make no mistake, this is an arms race.

It is perhaps surprising then, that as this IT security threat continues to evolve and grow, that governments and businesses are struggling to keep up in one of the most fundamental of areas; IT security job recruitment. Without the expertise and simple manpower to design and manage IT security systems and strategies, businesses, governments and other institutions are left vulnerable to outside attack.

In this article, I want to explore the growing IT security jobs crisis, how it came about and what it means for businesses.

An IT Security Disaster in the Making?

The scale of the problem varies depending on what report you read but there is no debate among businesses and the IT security industry at large that the scale of the problem is hugely challenging (to say the least). The infographic below from the ISACA (a not for profit information security advocacy group) has some pretty alarming statistics. Whilst the figure of a 2 million shortage in IT security professionals is surely the big takeaway from these stats (for balance a 2017 report by (ISC)² puts this as 1.8 million by 2022, but the figure is still alarming) there are other stats that stand out.

Let’s take the fact that over half of businesses are experiencing significant delays of over 6 months in order to fill IT security job vacancies and 84% of organisations are finding that half or more of the cybersecurity job applicants are unqualified. In the US alone, every year employers are failing to fill 40,000 information security analyst jobs alone. That figure jump to 200,000 when you factor in all IT security related jobs.

It’s not that these jobs are poorly paid. In the UK an IT security analyst’s salary is anywhere between £32k and £78k. In the US it’s between $50k and $103k. What’s more, IT security job salaries are rising quicker than salaries in more general IT roles. With the rate of IT security job growth, rising three times faster than IT job growth, the simple fact is that there aren’t the numbers rising up to fill them.

So how did this job shortage come about and what can businesses and individuals do about it?

The Roots of the Cyber Security Recruitment Gap

There is no single reason why this huge deficit has opened up between IT security job vacancies and qualified candidates to fill them. Much of it could be to do with the simple fact that governments and the public bodies and institutions they rely on and fund, can be slow to react to new threats. This partly comes down to politics and funding but also plain bureaucratic inefficiency to adapt to growing challenges. Let’s face it, the public sector isn’t known for its efficient handling of large IT infrastructure projects (in the UK certainly).

Of course, business is another matter. Whilst there is evidence that businesses have been faster to recognise and rise to the challenge, the scale of the cyber security job crisis still leaves some big questions for the global business community to answer. Like governments and the public sector, it’s likely that businesses have simply underestimated the scale of the problem; both in the threat cybercrime poses and the speed at which the crisis in job recruitment has been growing.

With regard to the latter of these points, businesses have failed to communicate the massive need for IT security professionals to policy makers, educational institutions and the public at large. They have also failed to recruit from a wide enough talent pool, relying instead on traditional IT career paths into which trainees and new recruits can be siphoned. Much of this is a failing to see IT security as a completely separate area of business, distinct from IT and tasked with communicating and strategising right up to executive level.

A Cyber Security Jobs Strategy for Businesses

Despite the grim statistics, all is not lost and there are many steps businesses can take today to deal with what the fundamental IT security recruitment challenges of the future. What’s important to remember is that the demand for IT security jobs isn’t down to lack of interest but rather poor external and internal recruitment strategies, underinvestment and a blinkered adherence to traditional career pathways. Let’s look at some of the things businesses can do to address the problem:

• Reform the hiring and selection process: What’s needed from the recruitment policy side of things is less a change of approach and more a completely new mindset when it comes to hiring IT security staff. Employees need to start thinking about how they can attract candidates from outside normal career and even educational routes into the profession. There is undoubtedly a hugely talented pool of self-taught individuals out there. Many of these people may not have the qualifications needed to get noticed in the industry, but finding ways to get them in at the ground level could open up a largely untapped source of real talent.

• Creating local networks: Traditionally businesses are pretty guarded about the information they share, but if they are to address the growing IT security recruitment crisis they need to come together in an effort to create a united front in tackling the problem. The importance of networks cannot be overstated. Whether it’s businesses sharing data on new cybersecurity threats or simply publishing guidance on recruitment best practice, information sharing is key. These networking initiatives should reach out beyond the business world to educators and young people looking at a career in IT. Encouraging individuals into the industry from an early age is important.

• Rethinking CPD: Continuing professional development and internal training needs to be completely rethought if businesses are to properly nurture the next generation of cyber security professionals. The first step to this is to think of IT security as a separate department from IT, albeit one with strong links. Your IT department may be the most natural place to begin sourcing your next IT security staff but these individuals need to have separate skills specific to IT security, such as the ability to think strategically, an analytical mind, natural leadership skills, a willingness and drive to educate others and a holistic understanding of how the business works. Developing internal training and fast track recruitment schemes needs to recognise and nurture these skills.

• Create a cyber security guru role: Many small or medium sized companies will simply not be large enough to justify a separate IT security team. In these instances, it may be beneficial to the wider business to appoint a cyber security guru or head of IT security. This role would exist within the IT department but form the basis for a business wide approach to IT security; one that involves developing ongoing strategies, creating workshops for IT staff and establishing IT security best practice for all staff.

Getting a Job in IT Security

Whilst there are several positive steps businesses can take to address the growing cybersecurity jobs gap, there are of course a number of things anyone interested in getting into the IT security industry. Whilst soft skills are a benefit, experience and qualifications are required to get a job in this industry it should be remembered that the pressing need for IT security experts does not preclude qualifications and experience, on top of the soft skills needed to succeed in the job (the cybersecurity industry has become very focused on certification in the last few years).

You may work in IT already or be an enthusiastic self taught coder, but a background in IT isn’t essential. Those in highly analytical jobs will often have developed the skillset to get them off the ground.

Whatever your background, education or age, there are a number of steps you can take to smooth the path towards a professional role. We’ve created this handy infographic of 10 tips to get you thinking.