If you work in IT – and even if you don’t – you’re probably aware of the huge shortage of cybersecurity professionals. Most companies are desperate for analysts trained to protect their valuable data from theft. On the surface, then, the future of the job market for cybersecurity seems bright.
Look a little deeper, though, and you’ll see that this headline hides a lot of complexity. At the moment, there are very few educational programs that are designed to give cybersecurity pros the skills they need to succeed in the industry.
And then there is the fact that ‘cybersecurity’ is not one job, but many. In reality, though the job market is full of unfilled positions, many of these require specific skills that jobseekers only rarely have.
The shortage of cybersecurity professionals
First of all, let's take a closer look at the apparent shortage of cybersecurity professionals. The Bureau of Labor Statistics claims, for instance, that the rate of growth for jobs in information security is projected at 37% from 2012–2022, and that there are currently 2.2 million unfilled cybersecurity roles.
These numbers are not actually that helpful, however. Cybersecurity is a huge, diverse, and relatively new industry, and statistical agencies typically don't understand it very well. As a result, it's very difficult to find out how many of these unfilled positions relate to IoT solutions, for instance, or how many require training in forensics.
Unfortunately, this lack of understanding is also a feature of the educational programs that are designed to churn out IT professionals. Despite the importance of security for all aspects of systems development and maintenance, cybersecurity is still not taught to students studying relevant and parallel subjects.
This has started to change, but very slowly. It's been almost 20 years now since the NSA launched the National Centers of Academic Excellence in Information program, but only now are we seeing a rise in the number of college-level cybersecurity majors.
Diversity and segmentation
When it comes to the immediate future of the jobs market for cybersecurity professionals, there are two key principles to keep in mind. One is that the market is likely to become even more diverse over the coming years. The second is that, as systems grow ever more complex, there will be an increased segregation of roles even between employees who sit (nominally) within a 'security' team.
These trends will likely have two effects on the job market. The first is that employees seeking cybersecurity roles are going to need to be trained in more depth (and for longer) than has been customary in the industry. This extra training is likely to be delivered through on-the-job training programs, however, rather that postgraduate programs, simply due to the specificity of the systems that cybersecurity pros now have to work with.
The second outcome of these trends is that cybersecurity pros who are already in the industry will need to continuously develop their skills in order to stay up to date with the latest systems and threats. This requirement can be difficult for established professionals to achieve, particularly given existing workloads in the industry, but will be critical.
As Diana Burley, a professor at George Washington University, told Monster recently, “Continuous professional development is critical in the field of cybersecurity because the nature of the threat continuously evolves. Many options exist for current professionals to augment their skill set; including certificates from technical training companies, additional degrees through university study, or stand-alone hands-on courses to develop specific skills. The right decision depends on specific knowledge or skill required. There is no one-size fits all.”
The key areas of development
There are likely to be three key areas of development when it comes to the evolution of the job market for cybersecurity professionals in the coming years: a high demand for IoT security solutions, a requirement for companies and teams to move to DevSecOps, and a further diversification of roles within the broad category of 'cybersecurity'.
Let's take IoT first. One of the primary reasons for the current shortage of cybersecurity professionals has been the proliferation of IoT devices: this technology now underpins everything from innovative retail solutions used by global shopping giants to the best home security systems that protect us while we sleep. At the same time, though, the rise of spyware in the IoT suggests that the technologies to secure these systems are not yet as developed as they could be.
Secondly, the industry-wide move from DevOps to DevSecOps means that many more IT professionals will need to integrate cybersecurity into their work. The days when 'security' was the responsibility of one analyst are long gone – today, everyone from systems engineers to CSOs will need a thorough grounding in cybersecurity practices.
Finally, the job market for cybersecurity is going to become ever more diverse, and roles ever more specific. Rather than general 'security analysts', firms will be looking for candidates with skills focused on specific systems or specific aspects of threat detection and avoidance.
Ultimately, and as Gary McGraw, vice president of security technology at Synopsys, told Forbes recently, this diversification will mean that the very idea of a 'security analyst' becomes a thing of the past, in the same way that roles in the medical sector have long been specialized.
As such, McGraw said it’s both glib and misleading simply to say, “We need a million more people in cybersecurity,” because it tends to create an image of all those people doing essentially the same thing.
The future is bright
Nonetheless, one thing is clear: the future of the cybersecurity job market is bright, even if it will be a more diversified place than it is today.
Ultimately, many jobs that don't currently include cybersecurity will do so, so that 'security' skills will become just one part of a broader technical education. At the same time, security professionals will also need to diversify their own skills, so that (and again according to McGraw), any effective IT pro will need “deep coding experience and be a software person before plunging into software security.”