November 20, 2014 By Martin McKeay 3 min read

If you’re a security professional you’ve probably heard we’re going to be 2 million security professionals worldwide by 2017. At least that’s what speakers at the Digital Skills Committee at the House of Lords in London said recently. The basic thought is that we’re not training enough students to be security professionals and there is an increasing need for security professionals as we face further reliance on the Internet for banking, commerce and entertainment.

Add to these pressures the expansion of Internet enabled devices, the Internet of Things, and you can easily see a shortage of 2,000,000 professionals within the next two years. The only problem is, we may be underestimating the number really needed by a factor of 50-100%.

Finding the Right People

Ask anyone who’s tried to hire a qualified security professional within the last five years and you’ll hear a story about the difficulty of finding the right people. Finding the right skill and the right person, even for an entry level security role is difficult. And it only gets more painful when you’re looking for someone more experienced or with a specific skill set that’s in high demand. It drives up the salaries in the field, it causes longer search times for candidates and it basically sets unrealistic expectations for new people coming into the field.

But the real reason we’re likely to suffer an even higher deficit in security professionals is two-fold. First is the concept of technical debt, more specifically security debt. Security has been an add-on for decades, something that was either ignored or added as an afterthought, which has only really been changing in recent times. We haven’t put the resources necessary in place to properly protect many of our systems, and that security debt has been gathering interest silently in the background. As we start digging into these problems, it’s likely we’ll find they are much bigger than they appeared because past deficits will be revealed.

The second, closely related issue is a rising storm of issues in older software, which are creating a new norm in security vulnerabilities. If you work in security and haven’t lost sleep to Heartbleed, Shellshock, Poodle or the latest bug in Drupal, you should consider yourself very, very lucky. And as the industry starts looking deeper into the old software we all rely on, as researchers re-examine foundational code that makes the Internet run, we’re going to have more emergency patches issued and lose more sleep to responding to the fire drills. The stress caused by this increase in emergency class events means we can’t continue doing incident response as normal, we will need new processes, new communication channels, and, most importantly, more people to be involved so that we don’t burn out the few people we currently have.

Making it Work

Long term, education is one of the biggest solutions to the deficit of security professionals, but it’s not going to help us within the next two years. The reality is that it takes more than two years to get a degree created and running in any discipline and while there are quite a few schools who currently have a security curriculum, it’s simply not enough. And a degree doesn’t make a security professional; there’s a certain level of curiosity tempered by cynicism and disbelief of the status quo that are needed. There are any number of challenges a security professional faces in their career, but one of the underlying threads is that you have to be prepared to dig a little deeper than the data suggests on the surface.

Short term, what we really need is to work harder at making security an integral part of business practices. We’ve talked about this integration for years, but at all too many companies, it’s still just something that we play lip service to. There are islands of support in development groups or IT, but how many companies can really say they have a security practice that has supporters and integration everywhere from the CEO down to marketing and sales? If we can’t find new people to hire in the near future, we need to modify our processes and procedures to take advantage of the people we do have outside the security team. If your incident response plans don’t include marketing for communication, sales for explaining the issues to your customer and the CEO for making the tough calls, then there’s still work to do around integrating with the business.

Eventually, market pressures will increase the number of people choosing security as a career, but it’s not going to be quick and it’s not going to be in the next two years. In the meantime, it’s going to take leadership that can make the most of the resources we do have and reaching outside what we traditionally think of as the security team. And the front line security professionals of today are going to have to become the leaders of tomorrow to teach all the new people coming in from colleges and farther afield.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today