Cybersecurity’s 3-million-person workforce shortage is now a risk management problem.
The cybersecurity workforce needs and wants you! Good news for many of us – but from an employer or strategic workforce planning perspective, this is problematic. There’s now a shortage of people qualified to protect data, systems, and operations.
Worldwide, the cybersecurity workforce shortage is about 3 million, according to the annual (ISC)2 Cybersecurity Workforce Study – produced by the organization that brought us the CISSP certification.
“Employment of information security analysts is projected to grow 28 percent from 2016 to 2026, much faster than the average for all occupations,” reports the U.S. Bureau of Labor Statistics.
A scarcity of cyber workers means increased cyber risk all around. The (ISC)2 study states that 60% of those surveyed say their companies are at moderate or extreme risk of cybersecurity attacks due to this shortage.
This risk factor resonates with us. Many of our consulting and technical services incorporate cyber risk-based analysis or decision-making. We also directly help mitigate cyber risk caused by workplace shortages with our virtual CISO and incident response services.
When we prepare cybersecurity documentation for organizations, the workplace shortage plays a further role. Deliverables from a typical risk or vulnerability assessment may include a plan of action and milestones (“POA&M”) that assigns a task (like remediating or maintaining a security control) to a specific person or role. If those roles don’t exist within the organization … well, that’s a lot of scary whitespace in your cybersecurity program recordkeeping.
Strategic workforce planning is now part of cyber risk management.
Whether bulking up your in-house cyber team or strategically outsourcing some specialized roles, workforce planning is key.
One challenge lies with the evolving lexicon of cybersecurity skills.
For example, a typical cyber worker may serve 5 or 6 distinct roles. That worker may grow in the job, picking up technical certifications along the way. How do you define this person’s role, or even begin to do succession planning or hire a person just like them?
The NICE Cybersecurity Workforce Framework (NICE Framework) written by NIST is a good place to start.
The NICE Framework, NIST Special Publication 800-181, is a resource that categorizes and describes cybersecurity work. Built over a decade, the core of the Framework is a taxonomy and common lexicon that describes cybersecurity work and workers. It’s neither DoD or Silicon Valley-specific. It tries to be universal. In a universe travelling a million miles an hour.
Need a work role description for a Vulnerability Assessment Analyst, Cyber Ops Planner, or Cyber Defense Forensics Analyst? It’s in there. Need some words describing what you are looking for in your Executive Cyber Leadership? That’s in there too.
A common language for cyber work is helpful …
- as colleges turn out new graduates with cyber-related degrees
- as military veterans transition into the workforce
- to measure cyber competencies in one’s own workforce
- when subcontracting for a particular skillset
- when hiring, mentoring, or advancing the careers of actual human beings whose jobs include both technical and non-technical functions
However, as an employer ourselves, we know there’s more to hiring the right people than using the right terminology and buzz words. (Speaking of buzz words, “Jobs requesting cloud security skills, for example, remain open 96 days on average – longer than any other IT skill,” reports CyberSeek.)
At Sera-Brynn, we work with state and federal workforce development programs like the Virginia Cyber Alliance, and the U.S. Department of Defense Skills Bridge. We create internship programs. CyberVets and programs like it are good resources for us. We also do it the hard way – interviewing, hiring, and training employees one person at a time.
The author, Colleen H. Johnson, Senior Cyber Legal Analyst, can be reached at firstname.lastname@example.org.