Cybercrime is victimizing US companies and consumers, but a gap in cybersecurity skills presents a problem for the federal government. ESET’s Stephen Cobb investigates.

These are politically charged times in America, but the rampant cybercrime that is victimizing US companies and consumers these days should not be taken as a sign that the federal government has not been trying to do something about the problems of cybersecurity. Four years ago, president Obama launched the process that led to the creation of the NIST Cybersecurity Framework and a broad range of organizations now use this framework to guide their cybersecurity efforts.

Unfortunately, many of these efforts are hindered by a shortage of qualified candidates for cybersecurity jobs. We have talked about this cybersecurity skills gap before on WeLiveSecurity; for example, here, and more recently, here. The gap is the result of several factors, including a rapid expansion in the use of digital technology, accompanied by an increase in its abuse for criminal purposes.

At the same time, a lot of experienced security professionals are reaching retirement age, while many of today’s students find the potential rewards of building tomorrow’s technology more appealing than the task of securing yesterday’s.

“Every year in the US there are 128,000 openings for Information Security Analysts, but only 88,000 workers currently employed in those positions.”

This is another area where the federal government has been proactive. Just a few months into his first term, Obama launched the National Initiative for Cybersecurity Education (NICE) to address the need to expand the cybersecurity workforce.

A very visible example of these federal efforts is the website CyberSeek.org, which provides “detailed, actionable data about supply and demand in the cybersecurity job market”.

Unfortunately, the cybersecurity skills gap is proving to be a tough problem to solve. Consider these numbers from the CyberSeek site: “Every year in the US there are 128,000 openings for information security analysts, but only 88,000 workers currently employed in those positions – a talent shortfall of 40,000 workers for cybersecurity’s largest job.”

But wait, there’s more (or less, depending on how you look at it): “There are 220,000 additional openings requesting cybersecurity-related skills, and employers are struggling to find workers who possess them. Jobs requesting skills, for example, remain open 96 days on average.”

CyberSeek offers two interesting tools to help deal with this problem: the Career Pathway and the Cybersecurity Supply/Demand Heat Map. The latter is regularly updated and presents some eye-opening numbers. Consider the number of online job listings for cybersecurity-related positions from July 2015 through June 2016: roughly 350,000.

To put that in context, consider the estimate for the total number of employed cybersecurity workers in 2016: about 780,000. You don’t have to be an expert in labor economics to know that things are out of whack when one year’s worth of job openings in an industry is 45% of the total workforce.

Another indicator of things being “out of whack” – which is not the technical term, but definitely seems to describe the situation – is the number of job openings in the US that request the Certified Information System Security Professional qualification, relative to the number of people in the US who are CISSPs: 93,000 to 70,000.

This particular gap, of 23,000 people, tells me two things. First, there are probably not enough CISSPs in America right now; and second, a significant number of those job openings could probably be filled by people who don’t have their CISSP. Why would that be? Because too many companies don’t understand what a CISSP means, and only ask for it because they see it listed in other security job ads. I wrote about this problem last year, when I reached my 20-year anniversary as a CISSP, and clearly some of the issues that I identified persist.

“Too many companies don’t understand what a CISSP means, and only ask for it because they see it listed in other security job ads.”

One of the most frustrating issues is the continuing lack of clarity about cybersecurity roles and KSAs: the knowledge, skills, and abilities required to perform the different roles that comprise the information systems security mission.

That’s where the CyberSeek Career Pathway comes into play. This interactive tool embodies the National Cybersecurity Workforce Framework (the Workforce Framework), the initial goal of which was to establish a standard taxonomy for all cybersecurity work and the workers who perform it, regardless of employer or industry sector.

To accomplish this, NICE resolved cybersecurity work into 31 specialty areas organized into seven categories: Securely Provision; Operate and Maintain; Protect and Defend; Investigate; Collect and Operate; Analyze; Oversight and Development. NICE went on to identify the KSAs required for each role and then mapped possible career paths for cybersecurity workers, as seen here on the CyberSeek website:

The CyberSeek tool does more than you see there, allowing you to drill down to the education, skills, and qualifications requested for any given job description, with alternative titles used for that job, the number of openings, average salary, and pay range. If someone is interested in pursuing a job in cybersecurity then the National Initiative for Cybersecurity Careers and Studies (NICCS) provides an online resource for locating cybersecurity training. The NICCS site lists over 3,000 cybersecurity-related training courses offered in the US and you can search them by keyword, specialty, and location:

These tools are free and I hope that they will help people to enter, and progress within, the cybersecurity field. Unfortunately, this field is in competition with many others. In other words, the cybersecurity skills gap is not the only gap the US has to worry about.

You may have seen this headline last month: “Trump’s infrastructure splurge would collide with US skilled labor crunch”. And earlier this year there was this warning in the Wall Street Journal: “The US could run out of occupational therapists, railroad engineers and other workers, potentially leaving the economy in a long-term slump”.

The US Federal Reserve Board considers 4.8% to be “the natural rate of unemployment”; in other words, anything below that constitutes full employment. That means most job openings have to be filled by people leaving existing jobs. The US unemployment rate last month was 4.7%, so it’s not like the country has a lot of “spare” people from whom to recruit the cybersecurity workforce. I fear the skills gap may well persist for some time, despite our best efforts to reduce it.