President Joe Biden has urged U.S. companies to “harden your cyber defences immediately” amid a growing risk of Russian cyberattacks. For many, that won’t be easy.
The war for talent has been well-telegraphed throughout the country, but it’s particularly acute in cybersecurity. And it’s only worsened as competition in the broader labour market has heated up, heightening both companies’ potential vulnerability to hackers and the urgency to boost the workforce, reports Bloomberg News.
About one million people work in cybersecurity in the U.S., but there are nearly 600,000 unfilled positions, data from CyberSeek shows. Of those, 560,000 are in the private sector. In the last 12 months, job openings have increased 29%, more than double the rate of growth from 2018 to 2019, according to Gartner TalentNeuron, which tracks labour market trends.
“The crunch for cybersecurity talent has definitely gotten a lot worse,” said Jamie Kohn, human resources research director at Gartner Inc., a tech research and consulting firm. “We thought we had five years maybe to get those professionals in the door, and now we’re trying to do it overnight.”
Workers with the technical skills required to respond to cyber threats were already hard to come by before the COVID-19 pandemic forced employees to work from home. But a confluence of events ratcheted up demand even more for positions such as software developers, vulnerability testers, network engineers, and cybersecurity analysts.
With so many employees using their home networks and computers, phishing attempts soared, as did ransomware attacks on businesses, schools, hospitals and other organizations.
A ransomware attack on Colonial Pipeline Co. resulted in Americans’ panic-buying fuel, leading to supply shortages on the East Coast last May, while other high-profile incidents were attributed to hackers supported by U.S. adversaries. In Dec. 2020, for instance, investigators revealed a cyber-espionage campaign in which state-sponsored Russian hackers reportedly exploited software made by SolarWinds Corp. to infect some customers. Moscow has denied involvement in the matter.
“There are times within cybersecurity when the market even grows faster and when the demand is hotter, and I believe we kicked off one of those cycles with SolarWinds,” said Bryan Palma, chief executive officer of Trellix Corp. “Now we have the Russia-Ukraine conflict. We’re seeing cybersecurity grow faster than the normal 16% each year, which therefore is driving the need for even more skills and professionals in that area.”
The cyber worker shortage is a particular problem with smaller organizations, everything from municipalities and law firms to hospitals and businesses, that can’t offer high enough pay to attract high-skilled workers, said Max Shuftan, director of mission programs and partnerships at the SANS Institute, a cybersecurity training organization.
“Most civilian public agencies can’t pay what the public sector can,” Shuftan said. “At the same time, small businesses—companies that aren’t in an industry that you’d normally worry about this – they’re probably not going to have the staff, and that makes them more vulnerable to attacks.”
Last year, ransomware attacks affected the operations of organizations including a San Diego hospital system, a nationwide payroll provider, and the office network of the Illinois attorney general.
“Our critical infrastructure – our way of life – is really under cyber assault all the time,” Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency said during a speech in mid-March. “And our current geopolitical crisis is only exacerbating this threat. If we don’t do something about it, there’s still going to be 3.5 million unfilled cybersecurity jobs by the year 2025.”
The Department of Homeland Security rolled out a new system for hiring cybersecurity personnel in November that would allow federal cybersecurity workers to make as much as $255,800, equivalent to the salary of Vice President Kamala Harris. The new pay scale system was created to help the DHS compete for talent, according to the DHS.
The cybersecurity industry also isn’t immune to the broader macroeconomic trends that are upending the labour market, including a desire for remote work, flexible hours, and higher pay. Trellix, for instance, will adopt a hybrid model in which employees balance remote work and work from offices.
In 2020, the annual mean wage for information security analysts was $107,580, almost double the mean for all U.S. occupations combined, according to data from the Bureau of Labor Statistics.
Because cybersecurity skills are in such high demand, workers have room to negotiate and can jump from one company to another relatively easily. But hiring cybersecurity professionals from another company doesn’t address the underlying issue: that there aren’t enough qualified workers, said Stuart Madnick, professor of information technologies at the MIT Sloan School of Management.
Countries such as Russia, China, and Israel that have compulsory military service have a better talent pipeline of qualified individuals who have been trained in cybersecurity at the government level, according to Palma. He said he’s been communicating with members of Congress to create a AmeriCorps-type program specifically for fostering cybersecurity talent.
Other efforts to increase the talent pool include implementing cybersecurity courses in high schools, offering workshops to lower-level IT professionals, running training in rural regions, and dropping degree requirements in favour of aptitude tests. Automating some security-related tasks could also be a solution to the hiring problem.
“We have a massive shortage of security experts on the planet, and we want to automate so much of the talent and capability,” Kevin Mandia, CEO of Mandiant Inc., said. “That’s all software’s ever been … the automation of human process.”
None of those solutions is immediate, but the threats are.
“The worst is yet to come,” said Madnick of MIT. “Not just because things have been getting worse and worse each year, but we’ve concluded that the disruptions we see are nowhere as bad as they could’ve been. We think, in many cases, these were test runs.”
https://techxplore.com/news/2022-03-hackers-path-eased-cybersecurity-jobs.html