Editor's note: This story is part of the Cybersecurity Dive Outlook on 2021, a series on the trends that will shape the industry in 2021. For a look at the business trends affecting other industries, see the Dive Outlook on 2021.
When the cybersecurity field emerged, experts were obviously rare. And with a widening talent gap, the same is true today.
Unfulfilled cybersecurity jobs will reach nearly 2 million globally by next year, according to the Center for Strategic & International Studies. Industry is aware of the looming talent gaps and for years has called on students to consider a career in cybersecurity.
The outlook is promising, yet barriers to entry remain. Neatly-outlined paths into cybersecurity can produce experts with a narrow skillset, easily outdated as technology evolves.
Cyber is so fast-paced, even the most advanced technical skills can fall behind.
"I can teach you modern cryptography today, but quantum computing will probably come out in the next five to 10 years," said Scott Howitt, CIO of McAfee. Because quantum computing will eventually break all of it, cryptography is "off the table."
Howitt is on a cyber advisory board for the University of Nevada, Las Vegas where he frequently dismisses the idea of more technical classes. What's needed more in the field are soft skills, especially curiosity, he said.
Today's cybersecurity workforce has diverse backgrounds, where education isn't always directly tied to security.
"You can learn this business in a whole bunch of different ways, and we need every curious individual," said Teresa Shea, VP of cyber offense and defense experts for Raytheon Intelligence & Space. "Everybody's got cyber awareness inside them." She should know, she earned a degree in electrical engineering.
To IT or not to IT
No 100 cybersecurity professionals entered the field in the same way. Though IT has been the traditional gateway, it's no longer an IT-first world, said Dr. Bret Fund, head of cybersecurity at the Flatiron School. Altering network administrations without considering the security implications is a nonstarter.
Regardless of a job — development, application security, infrastructure security, engineering or forensics — "curiosity is what is really, really necessary in order to be able to move forward," said Gerald Beuchelt, CISO at LogMeIn. Applicants also need an adversarial mindset, operating as if they want to break a system as opposed to architecting one.
The temptation to "break things" is a prerequisite echoed by other CISOs. Howitt, a CISO-turned-CIO, always asks candidates: "What do you do in your spare time?" Howitt wants their answers to indicate they're "ever-learning ... I love people that are building computers in their home."
Where cyber talent is derived varies. Nearly one-third of today's cybersecurity professionals were tapped from educational institutions, or as consultants and contractors, according to (ISC)²'s 2020 Cybersecurity Workforce Study. Twenty-eight percent transitioned from another department in their company.
An environmental science major, Jon Check graduated from deskside IT support to cybersecurity. Check is now senior director of cyber protection solutions at Raytheon Intelligence & Space.
Though IT is the obvious gateway to the "infinite game" of cybersecurity, cyber welcomes people with experience in finance, law, sociology, and so on, he said.
"I don't think we're going to be in a place where there'll be enough pure cyber individuals to fill all the roles anyway. So we need those people that in their second career decided they want to get into cyber," because they'll bring outside perspective, said Check.
A future of cyber professionals without any other experience could unintentionally pigeon-hole people into security careers. They may not be able to grow outside of the SOC.
"I think if you come from a cybersecurity background, you might be more likely to stay in that area and perhaps not be as likely to transition to some of those CIO roles," said Arve Kjoelen, CISO of McAfee. "I think with a very, very, very technical background, you were probably more likely to be a tactical operational CISO." Those kinds of CISOs stay in the weeds of tech.
Thick skin? Versatile? Please apply
The publicity of large-scale security incidents can lead to finger-pointing, but successful cyber practitioners are able to disassociate from what the public might conclude is their failure.
"A lot of things in cybersecurity are brutal. It's like a meat grinder. But the industry shouldn't be that way in order to fix the problems in cybersecurity," said David "Moose" Wolpoff, CTO and co-founder of Randori.
"The organizations that are successful, are probably the ones where you can get hacked, and not have to be afraid that everybody can get fired," said Wolpoff.
Analyzing expected employer demands between 2021 and 2025, job-growth analytics firm Burning Glass Technologies found the top-growing skills shift from retroactive security strategies to proactive security strategies. The firm used a database of more than 1 billion job records and 17,000 skillsets related to cybersecurity.
In application development security, the firm expects a 174% increase in abilities related to DevSecOps, 155% increase in container security, and 113% increase in microservices security over the next five years.
Information security analysts are expected to outgrow any other occupation in the next 10 years, according to the U.S. Bureau of Labor Statistics. Between 2019 and 2029, BLS estimates a 31% growth in the profession compared to the average occupational growth rate of 4%.
With AI woven into security analytics, analysts will transition from "investigating flags and potential incidents to analyzing data and making hypotheses about where threats will be," said Fund. The prospective changes in analyst expectations are "exciting and daunting" because it requires mass upskilling.
(ISC)² estimates there will be at least 10,300 cybersecurity professionals for every 100,000 U.S.-based businesses. But the firm estimates the U.S. has a cybersecurity workforce of just over 879,000 people, and a widening 3.12 million gap in the global workforce.
Hiring shouldn't necessarily be done in the same way security is performed — dictated by patch goals, or weedy security sprints. Instead, holistic security organizations with lateral abilities will likely be the most successful at preventing attacks.
Cyber is crashing college
Of the cybersecurity professionals with secondary education, 49% studied computer and information sciences, 20% pursued engineering and 10% majored in business, according to (ISC)². Eight percent of the cybersecurity workforce only have their high school diploma.
Cyber is multidisciplinary, combining computer science, law, management and political science, said Fund. Because of this, it's going to take a very long time before a cyber-exclusive workforce emerges.
"My daughter's actually going through a pure cybersecurity education as we speak right," said Beuchelt, whereas he pursued secondary education in physics. But educational programs dedicated to security practices in mission assurance, for example, would not be ideal for a lot of today's security practitioners, he said. They belong to a "non-vanishing" group of cybersecurity talent.
Boomers (ages 55 to 73 as of 2019) account for only 13% of cybersecurity professionals, according to (ISC)². Millennials (ages 23 to 38) and Gen X (ages 39 to 54) make up the majority of cybersecurity professionals, 44% and 39%, respectively.
Only 1% of Gen Z, or those just entering the workforce or secondary education, make up cybersecurity professionals. It's a generation that could directly go to school for cyber, as opposed to making a career change later on.
Certifications are an avenue 63% of the world's cybersecurity workforce pursue because it permits them an ongoing education, according to (ISC)². Vendor-specific and vendor-neutral certificate programs are evenly split between employer requirements, 49% and 47%, respectively.
Because of the opportunities certifications extend to security and non-security professionals, people with exclusively cyber backgrounds is unlikely anytime soon.
"Weirdly, the collegiate cybersecurity community has a strong overlap with DEFCON Hacker," in order to appeal to natural hackers, said Wolpoff. But "I don't like the idea of a pure cyber background, because I think myopic experiences are kind of the problem of technologists," leading them to make poor business decisions.
When it comes to risk-based decision making, security professionals need to be able to overlay the technical details with the business' bottom line — communication outside of technical details is not just a skill CISOs need.
Business skills are also becoming non-negotiable prerequisites for CISOs of today, which require the executives to:
- Read balance sheets
- Present risk and threat assessments before a board
- Translate advanced persistent threats (APTs) into monetary risk
These areas are where technical-prone security workers struggle. "You might want to go get a finance MBA, or a management MBA," said Howitt. "I'm a physics major. I didn't go to school to become a cybersecurity guy."