Jim Menendez

Jim Menendez

U.S. Cybersecurity Practice Lead, CGI Federal

Across business and technology media alike, I’ve seen frequent coverage of the hundreds of thousands of cybersecurity and IT security job openings that are not getting filled. By 2022, the cyber talent gap is estimated to exceed 1.8 million jobs.

In all industry verticals we continue to hear about more companies and government agencies suffering from cyber-related breaches and ransomware attacks. There is no question that supply is low, demand is high, and that the demand is not abating.

Competing with new sectors

Additionally, IT security jobs are no longer limited to the technology industry, as law enforcement, commercial retailers, and other sectors are all pulling from this same limited pool of resources. About a year ago at a cyber conference with state leaders, the head of a state law enforcement organization described to me how investigatory crimes have changed dramatically in the last decade. Today, more than half of this leader’s staff is following up on cyber-related incidents, fundamentally shifting the skills needed for their operations.

Growing and keeping talent

Earlier this year, the National Governors Association published A Governors Guide to Cybersecurity which points out that, “…the most direct challenge governors face is making sure that their states’ systems are cyber secure. Hiring new employees, training or retraining current employees and contracting out for cybersecurity services are three ways that states can meet their needs.”

But these are difficult tasks to achieve when cyber resources are in such high demand.

I have seen companies train some of their best talent in cybersecurity, only to watch these folks leave for higher salaries. I’ve also seen salaries more than double for cyber experts going from one private sector job to another.

Rightfully, many organizations are contracting out for these skillsets. Yet, some may not be mindful that this is a supplier’s market and think they can contract for lower-cost talent. I know of one government agency that contracted out their IT security to the lowest bidder, only to find that the contracting firm couldn’t hire the right talent at those low rates.

While some universities are stepping up to create cyber-related curriculums and degrees to help feed the pipeline, much work needs to be done to bring more professionals to the workforce. Where accreditation programs do exist, many new graduates are lured to perceived “sexier” jobs in gaming or robotics.

Until supply catches up to demand, these challenges will continue to increase for both industry and government.

So, what can the public and private sector do to help bring forward more cyber skills and talent to fill the gaps?

    • Recognize and accept that the supply and demand issue is real. Simply stated, organizations will need to pay a premium for this talent until more resources are available.
    • Find and train from within and then compensate correctly. Identify people in your organization who have analytical skills and a passion for cybersecurity, and then train them in the needed skills areas. Once trained, assume some will leave, but paying them market value after they are performing in these new roles will mitigate the risk they will leave. Also, recognize that some may have different motivations to stay at an organization such as vacation time, medical coverage, training, or even mentorship.
    • Leverage low-level automation. Maturing an organization to utilize more low-level automation tools can help reduce some requirements for security-related FTEs. Today, there are automated tools available to help IT security staff with a number of data collection activities, such as collecting data around a security incident.
    • Advocate for cybersecurity curriculums. The private sector should work with two and four-year colleges to hype recruiting and help colleges set up curriculums and certification programs. Vocational programs in high schools are also an opportunity where students could spend time learning and working side-by-side with cyber professionals. The private sector can sponsor job shadowing opportunities that would meet laboratory requirements or partner with local universities to incentivize prospective students with guaranteed internships or even job placements. These are very important activities because, even with the supply and demand issues, companies can be apprehensive about hiring new graduates with no hands-on experience.

Another action organizations can take is reducing cyber incidents by shifting to a cyber-aware culture. Cyber breaches often result from an employee clicking on an email attachment from an unknown or fraudulent source. Everyone’s cybersecurity posture is improved when awareness improves. A cyber-aware culture means having widespread recognition that cybersecurity is part of everyone’s job now. See my earlier blog on this topic.

Technology is more and more integrated into our lives, and these connections are exposing new or different cyber risks. As organizations continue to invest in digital technology solutions to meet consumer and citizen demand, both the public and private sector must also invest in ensuring better cyber protections. This includes growing our cybersecurity talent so there’s enough to go around.

1(ISC)² Global Information Security Workforce Study (GISWS)

About this author

Jim Menendez

Jim Menendez

U.S. Cybersecurity Practice Lead, CGI Federal

Jim supports CGI’s cybersecurity practice in managing the delivery of security consulting, engineering, advisory and managed security services for U. S. clients. He drives cybersecurity business development in government and commercial markets, and contributes to CGI's cybersecurity and cloud strategies by leveraging his depth of ...