The number one issue facing cybersecurity firms is a "chronic shortage" of qualified staff.

That's according to the founder of market analyst Cybersecurity Ventures, Steve Morgan. "The single biggest trend, globally, is that there are chronic work shortages of qualified cyber security staff. It's an absolute epidemic," Morgan told supply-chain blog Channelnomics.

Morgan's company in 2016 gathered feedback from executives listed highest on the company's list of 500 top cybersecurity firms, many of whom pointed to the same problem.

"We are one of the few industries globally experiencing zero-percent unemployment," said Robert Herjavec, CEO of cybersecurity outfit Herjavec Group. "Unfortunately the pipeline of security talent isn't where it needs to be to help curb the cybercrime epidemic. Until we can rectify the quality of education and training that our new cyberexperts receive, we will continue to be outpaced by the Black Hats."

John McAfee has also weighed in on the issue, saying that cybersecurity is "the least populated of any field of technology," and noting that there are two job openings for every qualified applicant.

On Sunday, Cybersecurity Ventures predicted that by 2021 there will be 3.5 million vacant cybersecurity jobs due to the lack of a "pipeline of security talent" combined with ever-expanding cybercrime.

For some time

The problem is not new. Two years ago, another widely cited report from consulting firm Frost & Sullivan warned that there would be a 1.5-million worker shortfall by 2020, and then increased it soon after to 1.8 million.

Despite record spending on security – and healthy salaries – nearly half of hiring managers say they are struggling to find cybersecurity staff for open positions, and 62 per cent of them have reported a shortage of information security professionals.

So what is the solution?

There are a number of organizations, including the Cybersecurity Workforce Alliance (CWA), that are actively trying to recruit more people into the field. The CWA was set up by the financial industry, based around New York, to close the skills gap given the importance of cybersecurity to money flows.

The new head of the Securities and Exchange Commission, Jay Clayton, is also using his platform to encourage coordination between companies and regulators to share threats as a way of limiting their impact.

Morgan argues that the limited degree of specialized education in information technology and computer science around the world is a major factor in the shortage. He highlighted Kevin Mitnick's KnowBe4 company as an example of training up IT staff to understand cyber threats.

It trains existing staff to recognize early warning signs on a network. "This lack of basic knowledge is plaguing the industry," Morgan argues. "For instance, some software developers don't understand IT security, and vice versa. Every corporation must be providing their staff with that kind of training." ®