The already sizable shortage in cybersecurity professionals globally has swelled by about 400,000, according to an upcoming report by the International Information Systems Security Certification Consortium, or ISC2. The non-profit organization, which issues the widely sought-after Certified Information Systems Security Professional (CISSP) qualification to cybersecurity professionals around the globe, found that the number of cybersecurity roles required to adequately staff and defend companies is lacking by roughly 3.5 million, up from 3.12 million in 2020.
The number does not mean that 3.5 million cybersecurity jobs are open, however. In the US, there are slightly more than 460,000 cybersecurity job openings today—mostly advanced positions, according to CyberSeek, an online project supported by the National Initiative for Cybersecurity Education, part of the National Institute of Standards and Technology in the US Department of Commerce.
With the Covid-19 pandemic upending life as we knew since last year, the cyber-threat landscape has gone from bad to worse. According to Interpol, the international criminal police organization, cyber criminals took advantage of the disruption in worldwide communications channels to unleash malware, spyware and Trojan horses through phony interactive coronavirus information materials. At the same time, hospitals, medical institutes and public institutions were targeted with ransomware. To offer an even more recent example, Apple last week urged iOS users to make emergency software updates to their devices after security researchers uncovered a vulnerability that allowed spyware from the Israeli NSO Group to be installed without a single click.
The war between cyber criminals and cyber defense teams is a numbers game. First, how many troops can each side recruit? Second, how much money can they afford to spend? And third, how much money do they stand to gain?
Unfortunately for defense teams, there’s little to gain but vast amounts to lose, whereas the reverse is true for attackers. Banks and asset managers, which are ripe with sensitive data, such as investors’ net worth and their corresponding credentials, are prime targets. And financial institutions face regulatory fines, reputational damage, and additional investigative and data recovery costs if they leave themselves vulnerable. According to a recent IBM study, the average cost of a data breach in financial services last year was $5.72 million.
Too many barriers
One of the most persistent barriers to tackling the expanding cyber talent gap is the unrealistic job requirements listed for even entry-level roles. Clar Rosso, CEO of ISC2, would like to see that change. Rosso, a newcomer to the cybersecurity realm herself, left a career in the accounting world as a CPA only a year ago.
Anecdotally, she tells WatersTechnology that her organization has recently been talking to a global advisory firm about how ISC2 could assist them with cybersecurity education and training. The company was looking to fill 70 related job roles—from entry level all the way up the chain—and each one required a CISSP certification, which requires a minimum of five years’ experience.
“We think one of the things that’s really important is that the security team itself work with human resources on defining what the true needs are in the organization, what is the kind of role you’re trying to fill, and then appropriately list out the qualifications for that role, because not everybody needs to be a CISSP,” she says.
The advisory firm isn’t alone in asking for that qualification. According to CyberSeek, there are 16,000 more positions requesting the CISSP designation than there are certificate holders—106,370 versus 90,334.
“It has to mean—I have no evidence for this, but just intuitively—that whoever’s writing that job description doesn’t know what it is,” Rosso says.
A widening battlefront
The challenges of defending against cyber-attacks continue to increase. Brunner, one of SEI’s vendors, was hit by a ransomware attack last year, showing on how many fronts companies have to fight.
Ryan Hicke, chief information officer at SEI, says that beyond remote working, regulatory and reputational pressure, and a talent pool that’s difficult to access, it’s not a field where it’s very easy or quick to train up one’s own talent.
“It’s not even just the people. Even if you can go acquire the talent, there’s a lot of technology, [and] there’s a lot of processes that also need to be put in place. So it’s not an easy thing to do, and there’s really no quick fix,” Hicke says. “I don’t think you can take somebody and put them through a 60-day bootcamp, and all of a sudden they’re cybersecurity experts.”
Last year, SEI rolled out SEI Sphere, a suite of IT services and tools that predominantly support cybersecurity endpoint and network protection. The offering is targeted at small to mid-sized organizations (50-1,000 employees) that do not have an abundance of resources available for cyber defense.
Though the space is undeniably in need of experts, some firms have reasoned that the smartest thing they can do to combat the gap is to ‘start ’em young’. In 2011, IBM launched P-Tech, which recently rebranded as IBM SkillsBuild, as a high school-level program for students to begin taking cyber courses and gaining field experience. More than 150,000 students in 28 countries have participated in the program over the last decade.
And three years ago, IBM also launched its Security Learning Academy, an internal program for employees, clients, and partners to upscale their knowledge of security practices. It receives an average of 32,000 visits per month with 22,500 registered users taking part in 1,500 courses and 500 labs, says an IBM spokesperson.
Soren Mortensen, global director of financial markets at IBM, tells WatersTechnology these are the tech company’s two key initiatives to address the expanding talent gap. “We provide the access to all the training through the academy; we provide them with exposure to technologies, and so forth. We train ourselves, so therefore we don’t have certification requirements [such as CISSPs] at the entry level,” he says.
Mortensen isn’t surprised that the number of positions needed to adequately defend companies’ digital operations has risen over the last year, but he says the number—whether it’s 3.1 million, 3.5 million, or more—is largely arbitrary. All one needs to know, he says, is that attackers outnumber defenders: “How long is a piece of string?”
Further reading
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: http://subscriptions.waterstechnology.com/subscribe
You are currently unable to print this content. Please contact info@waterstechnology.com to find out more.
You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@waterstechnology.com
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@waterstechnology.com
More on Data Management
Removal of Chevron spells t-r-o-u-b-l-e for the C-A-T
Citadel Securities and the American Securities Association are suing the SEC to limit the Consolidated Audit Trail, and their case may be aided by the removal of a key piece of the agency’s legislative power earlier this year.
Chief data officers must ‘get it done’—but differ on what that means
Voice of the CDO: After years of focus on data quality, governance, and compliance, CDOs are now tasked with supporting the business in generating alpha and driving value. How can firms put a value on the CDO role?
In a world of data-cost overruns, inventory systems are a rising necessity
The IMD Wrap: Max says that to avoid cost controls, demonstrate the value of market data spend.
S&P debuts GenAI ‘Document Intelligence’ for Capital IQ
The new tool provides summaries of lengthy text-based documents such as filings and earnings transcripts and allows users to query the documents with a ChatGPT-style interface.
As NYSE moves toward overnight trading, can one ATS keep its lead?
An innovative approach to market data has helped Blue Ocean ATS become a back-end success story. But now it must contend with industry giants angling to take a piece of its pie.
AI set to overhaul market data landscape by 2029, new study finds
A new report by Burton-Taylor says the intersection of advanced AI and market data has big implications for analytics, delivery, licensing, and more.
New Bloomberg study finds demand for election-related alt data
In a survey conducted with Coalition Greenwich, the data giant revealed a strong desire among asset managers, economists and analysts for more alternative data from the burgeoning prediction markets.
Waters Rankings 2024 winner’s interview: S&P Global Market Intelligence
S&P Global Market Intelligence won two categories in this year’s Waters Rankings: Best reporting system provider and Best enterprise data management system provider.