The Cybersecurity Skills Shortage

I read a great article this morning by Dr. Magda Chelly published in the Singapore Independent. The article discussed the cybersecurity skills shortage and the immediate need for more cyber professionals to fill existing job vacancies in Singapore.

The shortage of cybersecurity professionals is a global concern however, and Singapore is far from alone in its need for more qualified and experienced technical and managerial security professionals. The Cisco Annual Security Report has, for the past three years, highlighted a huge gap between demand for security professionals and the available supply, and that defenders are outnumbered five to one by attackers. Universities across the globe are struggling to adapt to changing demands from government and business in order to train the workforce of the future. A future where nearly everything will be conducted virtually via cyberspace and the inter-network of government agencies, businesses and individuals that power commerce, education and just about everything else. Securing that future will be critical for everyone.

Even in the United States where arguably there are more certified cyber professionals than any other country, a recent survey found 82,000 open positions requesting a CISSP yet at last count there were only 79,000 CISSP holders in the USA, nearly all of whom were already working at least one full time job. In fact, a recent study conducted by (ISC)2 found that cybersecurity workforce gap has increased to more than 2.9 million globally. The report goes on to state that of the 2.93 million overall gap, the Asia-Pacific region is experiencing the highest shortage, at 2.14 million, in part thanks to its growing economies and new cybersecurity and data privacy legislation being enacted throughout the region.

The (ISC)2 CISSP (Certified Information Systems Security Professional) is not the only cybersecurity certification however; GIAC Security Expert (GCE) and ISACA (Information Systems Audit and Control Association) certifications in security governance (CGEIT), security audit (CISA), information risk (CRISC) and security management (CISM) are equally prized. Most however require some level of experience putting potential candidates in a catch-22 position – you can’t get the certificate without experience; and you can’t get the security job in order to build the experience without the certificate. Maybe recruiters need to re-think this demand and look for broader skill sets and capabilities from entry or mid-level candidates!

That’s also one of the reasons why many people looking to enter the profession are completing university degrees in a cybersecurity related discipline. In fact, there are a heap of accredited universities today offering quality bachelors, masters and doctoral degrees, especially in the Australia and United States. Many of these are available entirely online and therefore accessible to Singaporeans, just as they are to residents of other countries who are willing and able to invest in the time and effort in their future. The nice thing about online degrees is that you can study at nights and weekends while holding down the current day job and salary, rather than take an unpaid sabbatical for 2 years or more to attend a bricks-and-mortar university as was the case just a few years ago.

A cybersecurity degree not only says a lot more about you as a candidate compared to someone who simply paid and took the CISSP or other exam, it also in many cases, will exempt you from the work experience requirement, thus opening the door for you to have both a degree and a professional qualification at the end of the day.

Unlike a professional qualification however, your cybersecurity degree will not expire if you forget or elect not to pay the annual club membership fees to the body issuing the certificate. Let’s not forget that these bodies have made a highly profitable business out of certifying cybersecurity professionals and each requires the payment of annual maintenance fees along with evidence of continuing education for you to keep your certification. A degree on the other hand is a qualification for life and will never expire.

So when should you embark upon an academic qualification like a cyber degree and when or who should just go for the CISSP or other professional certificate? The fact is, that depending on your age and experience, you will likely benefit from both. However, no qualification is a substitute for experience and that’s probably why it makes most sense for those in the profession with 5 to 10 years’ experience to get their CISSP or other professional qualification, and those entering security management to get their CISM. However, there’s nothing like a Masters or Doctoral degree to show a prospective employer that you really are an expert with deep cybersecurity and information assurance knowledge.

The profession needs more practitioners at all levels however and there are good rewards for those at the top of their game as I wrote about in a prior article discussing the role of the CISO or Chief Information Security Officer. A role which is quickly changing with the times.

My friend and fellow security evangelist Dr. Mansur Hasib from the University of Maryland University College has spoken extensively at numerous security conferences, as have I and many others, about the cybersecurity skills shortage. No matter where you are located, there is a drastic need for more entry-level security professionals, so if you are reading this while contemplating your future, this is one profession you should probably look at closely. With a 12x demand over supply for security professionals, a career in cybersecurity is not one about to go away any time in the near future. What’s more, where ever demand outstrips supply, professionals are usually going to be well paid and well looked after.

Warning – Highly Competitive Environment: Once established, you may be mildly harassed by recruiters wishing to hire you away from your current role for double the money to work somewhere else! (At least, for the immediate future.)

This blog is also posted on Linkedin

Subscribe to our periodic posts via email to periodic new posts so you don't miss them.

Original stories and articles may be republished without charge provided that attribution is provided to the source and author. Articles written for, and published first elsewhere, are subject to the republishing terms and conditions of the host site.