The real problem in cybersecurity is cyber labor scarcity.
The problem is that the supply of cyber labor has not kept up with demand. The demand for skilled security professionals began to rapidly increase around 2008. Before then, there was only a very small market for cybersecurity products and services. There were no computer viruses or worms back in the 1990s, so companies did not need to buy antivirus software. There was not much hacking or cyber warfare between countries either, so governments did not need to hire cybersecurity experts. The market for skilled security professionals remained relatively small even into the early 2000s.
The supply of cyber labor began to increase around 2008 when companies and government organizations realized they needed more cybersecurity products and services. Around that time, there was a rapid increase in the number of computer viruses, worms, and hacking incidents between countries. Large companies that were popular targets for cyber attacks publicly disclosed they were victims of cyber espionage or other advanced persistent threats. The number of Google searches by people who wanted to work in cybersecurity increased dramatically in 2008. Many qualified security professionals began to receive multiple job offers. People outside of the cybersecurity profession began to notice this shortage and started to hire more security professionals.
The market for skilled security professionals has become saturated with qualified employees. Many companies compete aggressively for cybersecurity talent. The median salary in the U.S. Information Technology (IT) industry is $80,000; an experienced cybersecurity professional can easily make $100,000 or more. People outside of the cybersecurity profession often do not understand how valuable cyber labor has become and do not properly respect IT professionals who make these important contributions. Demand for cybersecurity skills continues to grow, but supply does not meet this demand; therefore, the market price of labor must increase.
This is why we hear so much these days about "cybersecurity" and "cyberwar." It's hard to get good people.
How do we solve the cyber labor shortage problem?
There are many possible solutions. They include:
Increase the public's interest and involvement in cybersecurity by teaching children more about it.
Make cybersecurity a national priority, just as countries prioritize health care, defense, technology, and education.
Use "gameification" techniques to attract and motivate people to enter the field.
Allow workers in unlicensed professions to practice cybersecurity when they have the appropriate training and experience.
Increase funding for cyber competitions and other events that encourage security research and development.
The Department of Homeland Security's National Cybersecurity Workforce Framework may help to solve this problem.
Improve pay and retention for cybersecurity workers by increasing their prestige and opportunities for promotion.
Develop better training programs to increase the number of qualified individuals seeking work in the field.
Solve the cyber labor shortage by making hiring decisions based on the skill and passion of the candidate regardless of their origin.
Allow cyber professionals to work in more than one country by establishing bilateral international cybersecurity agreements between countries with limited labor pools.
Cybersecurity Solutions that do not require cyber labor:
Companies and government organizations have been developing cybersecurity technologies for 30 years, so there are many security products and services to choose from. These include:
Cloud computing providers.
Secure web gateways.
Intrusion detection systems.
Cybersecurity awareness training for employees.
Electronic authentication of users, devices, and data.
Data loss prevention technologies that automatically detect and stop data from leaving an organization without permission.
The National Institute of Standards and Technology (NIST) has published a roadmap that may help organizations improve their cybersecurity capabilities.
Governments are also developing new security solutions to address the cyber labor shortage problem.
Nations can reduce their reliance on foreign-born workers by improving their own education systems.
Countries with limited cybersecurity workforces can improve security by increasing their cooperation with other countries. Governments in the Five Eyes alliance (Australia, Canada, New Zealand, the United Kingdom, and the United States) already share cybersecurity information through an agreement called "Five Country Conference." Cybersecurity agreements between European Union members are also in development.
Some governments have created cybercrime task forces to investigate and prosecute cybercriminals who commit financial crimes and use the Internet for extortion.
The United States Cyber Command (USCYBERCOM), which was created by presidential directive in 2009, now has operational responsibilities to respond to attacks on military networks as well as those that affect critical infrastructure. USCYBERCOM has also forged partnerships with universities, government laboratories, and industry to provide training in cyber defense.
Government organizations have created cybersecurity competitions to identify new talent.
Many of these solutions are being implemented in the United States. For example, the Department of Defense Cyber Crime Center (DC3) sponsors Capture the Flag hacking contests that attract participants from around the world. The National Collegiate Cyber Defense Competition (NCCDC) is another competition that includes students from dozens of colleges and universities in the United States, Canada, and Mexico. USCYBERCOM also sponsors a series of cyber-related competitions such as the Department of Defense Information Network (DODIN) Rodeo, which is the world's largest hacking competition.
The United States government has also developed cybersecurity training programs to help solve the cyber labor shortage problem.
The National Initiative for Cybersecurity Education (NICE) was created in 2010 with a mission to increase national cybersecurity awareness and improve workforce development in the field. NICE has developed a national cybersecurity awareness campaign called "Stop. Think. Connect."
The National Science Foundation funds the Cyber Corps Scholarship for Service program, which pays tuition and fees of students studying cybersecurity in college. Once they graduate, these students are required to work for three years at an approved federal agency. In return, the federal agency is required to pay back the scholarship in full.
The Department of Homeland Security sponsors the National Cybersecurity Workforce Framework, which classifies cybersecurity jobs into "work roles" and provides a list of competencies needed to perform each role. This tool makes it easier for training managers, job recruiters, and human resources personnel to find employees with the right skills.