Industry 'must work with universities to fight cybersecurity skills gap'
Cybersecurity needs more skilled professionals, and businesses need to help train them, say experts
Experts have urged businesses and educators to address the widening cybersecurity skills gap by working together.
LinkedIn CISO Cory Scott said "there is way more demand than there is existing staff" for cybersecurity roles, while F-Secure chief research officer and industry veteran Mikko Hypponen explained that this is not a new phenomenon. "We've faced it already for quite a while and it's just getting worse," he said.
A Frost and Sullivan survey from last year revealed that 62 per cent of the 14,000 respondents thought that their organisations had too few security personnel. Not only that, but the workforce shortfall for the infosec industry is predicted to reach 1.5 million within five years.
"It is something that our annual research with B2B International highlights every year, and something that we believe is of global significance," Kaspersky Lab's managing director for Europe, Alex Moiseev, told IT Pro. "The world needs security professionals, with adequate skills to defend the technologies that we love and depend upon."
"The core reason for this skills shortage is that security isn't a field," Hypponen explained. "It's an umbrella for tons of different small niches. Do you want to be a forensics expert? On which platform? What kind of forensics? So you have to pick a very narrow field if you want to be good at what you do."
FICO chief analytics officer Scott Zoldi concurred, adding that security also includes skills from a vast number of disciplines. "It's an interesting mix of IT knowledge, and networking, and statistics and analysis, and critical thinking."
"I don't know if all those pieces fit within any of the siloed domains of a computer scientist, or a statistician, or an analytics person, or an IT ops person," he said.
Moiseev added: "Anecdotally, we've found the problem to be quite complex, with issues ranging from lack of interest in STEM subjects meaning less people exploring computer science in tertiary education, to organisations needing greater flexibility in their approach to training and 'upskilling' security specialists."
According to Hypponen, most cybersecurity professionals still end up coming into the industry by accident. For example, due to a background in assembly programming, Hypponen found himself to be very good at reverse-engineering malware, which started him on his 25-year career in cybersecurity.
"This is a tremendous problem," Zoldi said, "because if you don't have the right staff to actually look at these cases and put in the best practices, that's a very big challenge."
The solution, he suggested, could be for businesses to form deeper partnerships with education institutions. "We need to work with our universities," Zoldi urged, encouraging industry figures to donate their time and expertise.
"Those that have knowledge need to teach, they need to work and develop programmes that make sense in the cybersecurity area with local universities. Industry has to collaborate in that regard or the whole ecosystem is threatened, and that's not good for anybody, from a business perspective."
F-Secure has been running malware analysing and reverse engineering courses at two different universities for the past nine years. "That's how desperate we are in trying to find new people," Hypponen said.
Kaspersky Lab has been running similar programmes, Moiseev said. "We are currently working on various initiatives - cybersecurity challenges, a campus ambassador programme - to raise awareness of security career paths in schools and universities."
Aside from bringing more experts into the field, cybersecurity degrees can also help educate budding hackers and security professionals on the philosophical and moral issues surrounding the industry.
"If we look at bioengineering," explained Zoldi, "there's typically a course around bioengineering ethics and there's these courses that talk about what's generally accepted and some of the complexities of the topic."
Moiseev also warned that courses need to be flexible in order to keep up with the demands of the industry. "Cyber threats are constantly evolving and no matter what we do to combat them, cybercriminals will only improve their own skills to carry out more sophisticated and complex attacks in the years to come.
"Not only do we need to drive greater interest in cybersecurity career paths, but we need courses that evolve and adapt at the same pace as threats (and the cybercriminals responsible for them), otherwise we risk a severe undersupply of skills, as well as talent."
However, Hypponen explained that while infosec degrees are valuable, they're not the whole solution. "The people who are coming out of university courses like that know the basics, but they are not experts in whatever we need them to do because it's so granular and so niche."
Once security graduates have a general understanding, Hypponen said, it's up to the industry to ensure they continue to develop their skills and experience.
"Companies need to train them and take them further," he said. "This shortage is so bad, that we can't hope to fill it by people stumbling into it accidentally. We have to do it in a more organised manner."