Cybersecurity world faces 'chronic shortage' of qualified staff

It's the number one problem, according to analyst


The number one issue facing cybersecurity firms is a "chronic shortage" of qualified staff.

That's according to the founder of market analyst Cybersecurity Ventures, Steve Morgan. "The single biggest trend, globally, is that there are chronic work shortages of qualified cyber security staff. It's an absolute epidemic," Morgan told supply-chain blog Channelnomics.

Morgan's company in 2016 gathered feedback from executives listed highest on the company's list of 500 top cybersecurity firms, many of whom pointed to the same problem.

"We are one of the few industries globally experiencing zero-percent unemployment," said Robert Herjavec, CEO of cybersecurity outfit Herjavec Group. "Unfortunately the pipeline of security talent isn't where it needs to be to help curb the cybercrime epidemic. Until we can rectify the quality of education and training that our new cyberexperts receive, we will continue to be outpaced by the Black Hats."

John McAfee has also weighed in on the issue, saying that cybersecurity is "the least populated of any field of technology," and noting that there are two job openings for every qualified applicant.

On Sunday, Cybersecurity Ventures predicted that by 2021 there will be 3.5 million vacant cybersecurity jobs due to the lack of a "pipeline of security talent" combined with ever-expanding cybercrime.

For some time

The problem is not new. Two years ago, another widely cited report from consulting firm Frost & Sullivan warned that there would be a 1.5-million worker shortfall by 2020, and then increased it soon after to 1.8 million.

Despite record spending on security – and healthy salaries – nearly half of hiring managers say they are struggling to find cybersecurity staff for open positions, and 62 per cent of them have reported a shortage of information security professionals.

So what is the solution?

There are a number of organizations, including the Cybersecurity Workforce Alliance (CWA), that are actively trying to recruit more people into the field. The CWA was set up by the financial industry, based around New York, to close the skills gap given the importance of cybersecurity to money flows.

The new head of the Securities and Exchange Commission, Jay Clayton, is also using his platform to encourage coordination between companies and regulators to share threats as a way of limiting their impact.

Morgan argues that the limited degree of specialized education in information technology and computer science around the world is a major factor in the shortage. He highlighted Kevin Mitnick's KnowBe4 company as an example of training up IT staff to understand cyber threats.

It trains existing staff to recognize early warning signs on a network. "This lack of basic knowledge is plaguing the industry," Morgan argues. "For instance, some software developers don't understand IT security, and vice versa. Every corporation must be providing their staff with that kind of training." ®

Broader topics


Other stories you might like

  • IBM buys Randori to address multicloud security messes
    Big Blue joins the hot market for infosec investment

    RSA Conference IBM has expanded its extensive cybersecurity portfolio by acquiring Randori – a four-year-old startup that specializes in helping enterprises manage their attack surface by identifying and prioritizing their external-facing on-premises and cloud assets.

    Big Blue announced the Randori buy on the first day of the 2022 RSA Conference on Monday. Its plan is to give the computing behemoth's customers a tool to manage their security posture by looking at their infrastructure from a threat actor's point-of-view – a position IBM hopes will allow users to identify unseen weaknesses.

    IBM intends to integrate Randori's software with its QRadar extended detection and response (XDR) capabilities to provide real-time attack surface insights for tasks including threat hunting and incident response. That approach will reduce the quantity of manual work needed for monitoring new applications and to quickly address emerging threats, according to IBM.

    Continue reading
  • OMIGOD: Cloud providers still using secret middleware
    All the news you may have missed from RSA this week

    RSA Conference in brief Researchers from Wiz, who previously found a series of four serious flaws in Azure's Open Management Infrastructure (OMI) agent dubbed "OMIGOD," presented some related news at RSA: Pretty much every cloud provider is installing similar software "without customer's awareness or explicit consent."

    In a blog post accompanying the presentation, Wiz's Nir Ohfeld and Shir Tamari say that the agents are middleware that bridge customer VMs and the provider's other managed services. The agents are necessary to enable advanced VM features like log collection, automatic updating and configuration syncing, but they also add new potential attack surfaces that, because customers don't know about them, can't be defended against.

    In the case of OMIGOD, that included a bug with a 9.8/10 CVSS score that would let an attacker escalate to root and remotely execute code. Microsoft patched the vulnerabilities, but most had to be applied manually.

    Continue reading
  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • Intel freezes hiring for PC chip team, cites 'macroeconomic uncertainty'
    Inflation, Apple M2, PC market shrink: Could the timing have been worse?

    Intel's PC chip division is the latest team caught in the current tide of economic uncertainty, as the company freezes hiring in the group. 

    In an internal memo obtained by Reuters, Intel told employees all hiring and job requisitions in the client computing group were on hold for at least two weeks. During that time, the chipmaker will reportedly be reevaluating its priorities with "increased focus and prioritization in our spending [to] help us weather macroeconomic uncertainty," Intel said. 

    The client computing group, which designs end-user hardware, is Intel's largest by sales, having generated $9.3 billion of the $18.4 billion Intel made last quarter. Despite its place at the top, the CCG's Q1 takings were still down 13 percent compared to the same time in 2021. It was also the only Intel division to lose money compared to Q1 2021, another potential reason for the hiring freeze in the sector. 

    Continue reading
  • Facebook phishing campaign nets millions in IDs and cash
    Hundreds of millions of stolen credentials and a cool $59 million

    An ongoing phishing campaign targeting Facebook users may have already netted hundreds of millions of credentials and a claimed $59 million, and it's only getting bigger.

    Identified by security researchers at phishing prevention company Pixm in late 2021, the campaign has only been running since the final quarter of last year, but has already proven incredibly successful. Just one landing page - out of around 400 Pixm found - got 2.7 million visitors in 2021, and has already tricked 8.5 million viewers into visiting it in 2022. 

    The flow of this phishing campaign isn't unique: Like many others targeting users on social media, the attack comes as a link sent via DM from a compromised account. That link performs a series of redirects, often through malvertising pages to rack up views and clicks, ultimately landing on a fake Facebook login page. That page, in turn, takes the victim to advert landing pages that generate additional revenue for the campaign's organizers. 

    Continue reading
  • Indian developer educator Scaler moves to America with $11k online courses
    MOOC dropouts, boot camp avoiders, and college-averse students sought

    Developers in the US with $11,000 to spend, three spare nights a week, and a desire to level up to become an engineering manager or architect have a new education provider to consider: Indian company Scaler, which has made America its first overseas destination.

    Scaler has already seen 18,000 students graduate from its courses, which deliver three two-and-a-half-hour lectures a week. The entire course takes between six and nine months to complete.

    The company told The Register its instructors are former employees of major technology firms, and its curriculum focuses on both high-level system design and lower-level coding concerns so that students emerge with the skills needed to devise and manage projects. Soft skills and career development are also taught during the program.

    Continue reading
  • Microsoft trumpets updated HR-friendly policies (that comply with recently changed laws)
    Bins non-competes and promises salary transparency

    Microsoft has announced changes to labour relations policy for its US workforce that touch on noncompete clauses, confidentiality agreements and pay transparency.

    “Microsoft is announcing new changes and investments aimed at further deepening our employee relationships and enhancing our workplace culture,” wrote HR execs Amy Pannoni and Amy Coleman on the company blog.

    The pair wrote that the changes reflect employee fedback.

    Continue reading

Biting the hand that feeds IT © 1998–2022