Picture of empty office showing the struggle by companies to fill cybersecurity vacancies
Why Are Businesses Struggling to Fill Cybersecurity Vacancies? by Dean Madison, President at TD Madison & Associates

Why Are Businesses Struggling to Fill Cybersecurity Vacancies?

If you were to ask CIOs and CSOs which positions they have most difficulty filling, they wouldn’t respond with network engineer, system administrator, or developer. Instead, it is cybersecurity professionals and executives with cybersecurity expertise who are the hardest to hire.

There are two main reasons businesses struggle to fill cybersecurity vacancies. The first reason is a lack of qualified professionals. As a professional field, cybersecurity is still young and it lacks the extensive education and professionalization pipeline that fields such as software development rely on. The second reason is an expanding cybercrime economy: online crime is lucrative and businesses have woken up to the risk of data theft in recent years. Many more businesses are trying to hire cybersecurity professionals and executives from a pool which is not growing quickly enough to meet demand.

According to a recent study from (ISC)², the global cybersecurity skills shortfall stands at 2 million. Around 60% of respondents reported that their organization faced a shortage of cybersecurity professionals and that it posed an extreme or moderate risk. That makes hiring cybersecurity professionals and executives one of the biggest recruiting problems in modern business.

How did we end up in this situation? The nutshell explanation is that the need for cybersecurity expertise has grown exponentially in the last few years, while the supply of professionals has remained stagnant or, at best, grown too slowly. Businesses are faced with the challenge of hiring the best from dwindling pool, but it’s worth taking a moment to consider the factors that are responsible for the cybersecurity skills shortage.

The modern economy is a data economy. Data is one of the most valuable assets businesses and individuals own. Most of the biggest new tech companies of the last two decades — Facebook, Uber, Google, Amazon — reap huge profits from data. There are thousands of smaller companies built around harvesting, storing, processing, and selling data. Where there’s money to be made, you will find crime.

It’s estimated that the cybercrime shadow economy is worth $1.5 trillion globally. That’s a massive amount of money, largely generated through data theft. It’s no wonder enterprising criminals want in on the action. As the data economy grows, the cybercrime economy grows with it, and legitimate businesses are put under enormous pressure.

The other consequence of massive crime and a historically lax approach to data privacy is regulation. The EU’s GDPR, California’s Customer Privacy Act, and similar initiatives around the world have forced businesses to act — and compliance demands expertise.

But even without the long arm of the GDPR, businesses are beginning to give security and privacy its due. Facebook has been repeatedly raked over the coals for its lax approach to user data. No executive wants to find themselves on CSPAN being quizzed by members of Congress about a massive data leak. Consumers and their representatives are getting wise to just how valuable their data is and the consequences of having it stolen.

We have entered an era in which privacy and security are features rather than an afterthought. Companies that don’t cultivate expertise in security through both executive recruitment and rank-and-file training will find their markets drifting towards competitors that take security seriously.

Security was once the domain of developers and system administrators, and few professionals specialized in cybersecurity. Today, the cybersecurity landscape is so complex and evolves so quickly that only dedicated specialists can keep up. As TechCrunch contributor Robert Ackerman Jr. points out, “almost no cybersecurity pro over 30 today has a degree in cybersecurity.” That’s slowly changing, and college-level education courses for cybersecurity professionals are being launched at institutions across the country, but it will be some time before the system produces sufficiently trained professionals to meet the growing demand.

Taken together, these factors contribute to the increasing importance of executive recruitment and training for cybersecurity. With a shortage of talent, businesses must be prepared to do what it takes to attract executives with a proven track record in cybersecurity. Without solid cybersecurity leadership, they will struggle to implement the processes and policies necessary to defeat criminals seeking their fortune in the trillion-dollar dark economy.