Security skills gap? What security skills gap?

After the year we’ve had, it shouldn’t come as a surprise that cybersecurity skills are heavily in demand. Breaches, attacks and incidents have never been far from the headlines, so as boards and businesses pay closer attention, they’re adjusting their hiring plans to ensure they’re protected. But a new study from recruiter Indeed.com found severe cybersecurity shortages persist in every country.

The report uses two years worth of data, and it tells us that Israel leads the world in demand for cybersecurity professionals. Ireland was next on the list, followed by the UK – although both are a long way back from first place. Demand for security professionals in Israel is 89.2% higher than in Ireland, 118.8% higher than in third place UK and 187.4% higher than in fourth place US.

In a blog post looking behind the numbers, Indeed said “Not every country has the same level of demand for cybersecurity professionals, and not every country suffers from the same severity of skills shortage; nor are all fields within cybersecurity in equally short supply”.

Network security specialists are still highly sought after no matter where you look: it’s the most wanted skill set in Israel, Ireland, the UK, the US and Germany. In the UK, network security is 223.1% more in demand than the next skill set of mobile security; in Germany it’s 83.1% more requested than identity and access management, and in the US, it’s 210.8% more in demand than application security.

In some places, supply outstrips demand. In the third quarter of 2016, job seeker interest for the coveted CISO role in the USA outstripped available roles by a factor of more than two to one. In Ireland, there were more security administrators in Ireland than open posts waiting for them. Ethical hackers in the USA and UK are in a similar position.

Indeed.com used the word “severe” to categorise some of the skills shortages, and its blog post also quoted Cisco’s estimates of a million unfilled cybersecurity jobs along with Symantec’s prediction that this will rise to 1.5 million by 2019.

So is this a crisis? Your interpretation may depend on how you define a cybersecurity professional in the first place. Rik Ferguson of Trend Micro argued last year that the skills shortage only exists if you restrict your recruitment criteria to qualifications like a Masters’ Degree in cybersecurity, which didn’t even exist until a couple of years ago. “The problem is, too many organisations are hiring pieces of paper,” he said.

Last year, I shared a panel discussion at the ISC(2) EMEA congress in Dublin, and I made the point that the industry tends to be very narrow-minded about what we define as a security professional. We need to expand our net in order to recruit people into the industry. For one thing, the industry is crying out for people with sales and marketing skills – the kind of ‘soft’ skills that usually can’t be taught.

Ironically, we work with communication technology but as professionals, many security people aren’t very good at communicating with other stakeholders in the business. In my experience technical skills can be easily taught providing the person learning has the passion and curiosity to acquire those skills, the softer skills are much more difficult to attain. Lee Munson’s tale “Breaking Into Infosec Through the Backdoor” is a classic example of how our industry nearly lost a fantastic and dedicated professional simply because he did not have the right pieces of paper.

Within many organisations there are often very talented people working in other areas of the business who have these soft skills. In my experience skills are not the limiting factor in a good security professional, these can be taught, rather it is passion, determination, and curiosity that makes a true pro.

It is time we broadened our horizons when seeking new talent and be more diverse in terms of background, gender, age and skills.