Behind technology is people. And in cybersecurity, we just need more of them.
Research suggests the global industry is struggling to fill 2.9 million cybersecurity jobs, while demand for cybersecurity professionals is rising across all sectors.
We often see evidence of the skills gap as Kaspersky. In our 2019 survey, one in three Chief Information Security Officers (CISOs) say they find it hard to recruit the cybersecurity people they need.
Why is there a skill shortage in cybersecurity?
Digitization, sensitive data and privacy concerns mean businesses are crying out for technical specialists, managers, CISOs and people with cross-functional expertise.
The problem is not lack of ability in the existing workforce, nor lack of promising young people wanting to work in the field. The hard-to-fill roles tend to be those in cybersecurity areas with a lower profile – the less talked about specializations.
In a cybersecurity career, choosing the right specialism and the right skills to develop will give you an earning edge and greater choice among employers. From our experience at Kaspersky, and what we’ve learned from others across the industry, these are the areas where skill shortages are most pronounced.
1. Be equally skilled in tech and legal
Specializing in cybersecurity and the law covers privacy, compliance and data protection legislation. These specialists, such as privacy officers and data protection officers, should be equally skilled in law and cybersecurity technology. They help companies find ways to organize digital data storage, processing and protection that comply with legislation.
The demand for cybersecurity and law specialists will grow in areas like the Internet of Things (IoT), as privacy and personal data regulation increasingly cover these services.
Specialists in this area tend to be more skilled in law than technology. For example, data protection officers can usually tell the company how it should organize data processing and protection, but they can’t always say how to achieve that. When communicating with IT specialists, they need to know how to speak their language.
In the US, compliance and data protection officers earn an average salary of 81,000 US dollars, according to Glassdoor, while ZipRecruiter says privacy officers make 113,000 US dollars.
2. Be able to connect all the pieces
Cybersecurity architects design and test cybersecurity systems. It’s a more well-known role, but demand is still outstripping supply. Companies want experts who can see the whole picture and connect all the pieces to make one mechanism that works.
Cybersecurity architects should know enough about all aspects of cybersecurity in their company, from endpoint protection to anti-targeted attack mechanisms. They don’t need to know as much detail as dedicated experts, but they need to know enough to build proper protection systems, such as how parts of the infrastructure work together. They also need strong management skills.
The rewards reflect the shortfall of people with all these skills – Payscale says IT security architects in the US earn an average salary of US$123,000.
3. Be able to detect anomalies in constant white noise
While fewer workplaces need more exclusive specializations like big data analysis, there’s still a lack of skilled people.
Big data analysts build mathematical models to detect anomalies. If a company needs advanced-level cyber protection or offers specific cybersecurity services like system integration, they’ll probably need a big data analyst.
Ecommerce, banks and digital services also use big data analysis and math modeling, as does any business that holds data about user behavior and events. To detect behavior anomalies in constant white noise, and create algorithms to describe what happens in response, you’ll need strong analytical, mathematical, statistical and modeling skills, and in-depth knowledge of cyber-threats and attacks.
In the US, you could earn $117,000 as a cybersecurity data scientist.
4. Be strong on detection and response
There are still opportunities and room for improvement in traditional and common specializations.
Employees in security operation centers (SOC) remain in high demand, but the focus is changing. As the cybersecurity industry has learned, no organization can prevent all attacks and breaches, detection and response are now more central than threat prevention. Companies need to be able to track attacks and breaches early and minimize damage.
This means SOCs need specialists who can detect threats and know what to do next. They’ll know how to create detection rules and algorithms for detecting attacks and incorrect user behavior.
5. Be someone with soft skills
Managers in cybersecurity often lack ‘soft skills’ like communication, leadership, negotiation and business sense. Some 70 percent of IT decision-makers notice a communication skills gap among cybersecurity graduates.
Cybersecurity managers should be able to organize their department’s work to meet business demands. They should be persuasive and able to speak in the language other parts of the business use. Leadership skills are one way to stand out from the crowd; it looks like most cybersecurity professionals don’t yet consider leadership skills a priority, even in top management positions. Kaspersky’s 2019 CISO survey found only two percent put leadership in a successful CISO’s top three skills.
Filling the skilling
As university programs are limited and academic, self-education is vital. Students should choose one or more specialism to develop. They should find out what skills and knowledge it requires, and proactively develop those using the many educational materials and communities out there.
When you start work, CPD (continuing professional development) is the mindset to adopt. Taking on tasks that develop new skills will help your career, as well as avoiding too much routine, which can lead to burnout.
‘Learn by doing’ is still the most effective way to gain knowledge and skills. When you ask your peers and managers to involve you in activities around the knowledge and skills you need, you’ll learn quickly and gain confidence while distributing the workload. Everybody wins.
Employers can also help. Many companies, especially IT vendors, are investing in employee education, training and development around cybersecurity. Employees need to understand the business’s priorities and choose a direction they want to develop in.
Building a career means not only developing skills and knowledge but making these visible above and beyond daily routines. This means having the courage to put yourself forward – perhaps the most valuable skill of all.