I’ve written a lot about the global cybersecurity skills shortage over the past few years. Here’s some recent ESG data that illustrates this problem (note: I am an ESG employee):
- Of those organizations hiring additional IT staff in 2015, 43% plan to hire IT security professionals – the highest percentage of all types of IT skills.
- At the same time, 28% of organizations say they have a “problematic shortage” of IT security skills – the highest problematic shortage of all types of IT skills.
This data indicates strong demand and weak supply of IT security skills across mid-market and enterprise organizations around the world.
This week, I attended an event sponsored by Hexis Cyber Solutions. As part of his presentation, Hexis’s CTO, Steve Donald, provided yet another metric about the cybersecurity skills shortage when he mentioned that there is 0% unemployment for cybersecurity professionals in the Washington DC area.
Now this may sound like an ideal situation where supply and demand are balanced but the opposite is actually true. In fact, economists tend to believe that the economy is most healthy when unemployment rates hover around 3%. So what happens at 0% unemployment? The Hexis CTO stated that 0% cybersecurity unemployment in DC has led to:
- Salary inflation as everyone is competing for the same pool of potential applicants.
- Productivity issues as cybersecurity professionals are barraged by headhunters and recruiters.
- High turnover since cybersecurity professionals are constantly job hopping.
- Inefficiencies as marginally-qualified cybersecurity professionals are getting jobs that they otherwise wouldn’t be offered.
- High costs as organizations are forced to pour money into training the inexperienced cybersecurity professionals they have to hire.
Aside from the overall situation in DC, these issues are most acute in the federal government itself – mostly for civilian agencies but defense and intelligence is also feeling the pain. Cybersecurity pros who cut their teeth in defense and intelligence can make 2x to 3x in the private sector – especially when they are offered jobs in the financial services industry. And with job offers coming from all directions, few experienced cybersecurity professionals have the patience for time-consuming federal recruiting/hiring processes.
So in addition to the organizational woes described above, 0% unemployment in DC touches all US citizens. Government agencies remain understaffed and under-skilled putting us all at risk.
While Washington DC is somewhat unique it is also represents a microcosm of a global problem. The same thing is happening in London, New York, Ottawa, and Tokyo, albeit at a slower pace.
I truly believe that the cybersecurity skills shortage represents one of the biggest challenges we face and it deserves a lot more public/private sector attention. We need to invest in STEM programs and cybersecurity education on a more strategic basis before we face 0% cybersecurity unemployment – and the associated ramifications – everywhere.