The already sizable shortage in cybersecurity professionals globally has swelled by about 400,000, according to an upcoming report by the International Information Systems Security Certification Consortium, or ISC2. The non-profit organization, which issues the widely sought-after Certified Information Systems Security Professional (CISSP) qualification to cybersecurity professionals around the globe, found that the number of cybersecurity roles required to adequately staff and defend companies is lacking by roughly 3.5 million, up from 3.12 million in 2020.

The number does not mean that 3.5 million cybersecurity jobs are open, however. In the US, there are slightly more than 460,000 cybersecurity job openings today—mostly advanced positions, according to CyberSeek, an online project supported by the National Initiative for Cybersecurity Education, part of the National Institute of Standards and Technology in the US Department of Commerce.

With the Covid-19 pandemic upending life as we knew since last year, the cyber-threat landscape has gone from bad to worse. According to Interpol, the international criminal police organization, cyber criminals took advantage of the disruption in worldwide communications channels to unleash malware, spyware and Trojan horses through phony interactive coronavirus information materials. At the same time, hospitals, medical institutes and public institutions were targeted with ransomware. To offer an even more recent example, Apple last week urged iOS users to make emergency software updates to their devices after security researchers uncovered a vulnerability that allowed spyware from the Israeli NSO Group to be installed without a single click.

The war between cyber criminals and cyber defense teams is a numbers game. First, how many troops can each side recruit? Second, how much money can they afford to spend? And third, how much money do they stand to gain?

Unfortunately for defense teams, there’s little to gain but vast amounts to lose, whereas the reverse is true for attackers. Banks and asset managers, which are ripe with sensitive data, such as investors’ net worth and their corresponding credentials, are prime targets. And financial institutions face regulatory fines, reputational damage, and additional investigative and data recovery costs if they leave themselves vulnerable. According to a recent IBM study, the average cost of a data breach in financial services last year was $5.72 million.

Too many barriers

One of the most persistent barriers to tackling the expanding cyber talent gap is the unrealistic job requirements listed for even entry-level roles. Clar Rosso, CEO of ISC2, would like to see that change. Rosso, a newcomer to the cybersecurity realm herself, left a career in the accounting world as a CPA only a year ago.

Anecdotally, she tells WatersTechnology that her organization has recently been talking to a global advisory firm about how ISC2 could assist them with cybersecurity education and training. The company was looking to fill 70 related job roles—from entry level all the way up the chain—and each one required a CISSP certification, which requires a minimum of five years’ experience.

“We think one of the things that’s really important is that the security team itself work with human resources on defining what the true needs are in the organization, what is the kind of role you’re trying to fill, and then appropriately list out the qualifications for that role, because not everybody needs to be a CISSP,” she says.

The advisory firm isn’t alone in asking for that qualification. According to CyberSeek, there are 16,000 more positions requesting the CISSP designation than there are certificate holders—106,370 versus 90,334.

“It has to mean—I have no evidence for this, but just intuitively—that whoever’s writing that job description doesn’t know what it is,” Rosso says.

A widening battlefront

The challenges of defending against cyber-attacks continue to increase. Brunner, one of SEI’s vendors, was hit by a ransomware attack last year, showing on how many fronts companies have to fight.  

Ryan Hicke, chief information officer at SEI, says that beyond remote working, regulatory and reputational pressure, and a talent pool that’s difficult to access, it’s not a field where it’s very easy or quick to train up one’s own talent.

“It’s not even just the people. Even if you can go acquire the talent, there’s a lot of technology, [and] there’s a lot of processes that also need to be put in place. So it’s not an easy thing to do, and there’s really no quick fix,” Hicke says. “I don’t think you can take somebody and put them through a 60-day bootcamp, and all of a sudden they’re cybersecurity experts.”

Last year, SEI rolled out SEI Sphere, a suite of IT services and tools that predominantly support cybersecurity endpoint and network protection. The offering is targeted at small to mid-sized organizations (50-1,000 employees) that do not have an abundance of resources available for cyber defense.

Though the space is undeniably in need of experts, some firms have reasoned that the smartest thing they can do to combat the gap is to ‘start ’em young’. In 2011, IBM launched P-Tech, which recently rebranded as IBM SkillsBuild, as a high school-level program for students to begin taking cyber courses and gaining field experience. More than 150,000 students in 28 countries have participated in the program over the last decade.

And three years ago, IBM also launched its Security Learning Academy, an internal program for employees, clients, and partners to upscale their knowledge of security practices. It receives an average of 32,000 visits per month with 22,500 registered users taking part in 1,500 courses and 500 labs, says an IBM spokesperson.

Soren Mortensen, global director of financial markets at IBM, tells WatersTechnology these are the tech company’s two key initiatives to address the expanding talent gap. “We provide the access to all the training through the academy; we provide them with exposure to technologies, and so forth. We train ourselves, so therefore we don’t have certification requirements [such as CISSPs] at the entry level,” he says.

Mortensen isn’t surprised that the number of positions needed to adequately defend companies’ digital operations has risen over the last year, but he says the number—whether it’s 3.1 million, 3.5 million, or more—is largely arbitrary. All one needs to know, he says, is that attackers outnumber defenders: “How long is a piece of string?”