Many analysts and business leaders believe there is a severe need for qualified cybersecurity professionals in the U.S., something that has caught the eye of at least one key congressman.
U.S. House Homeland Security Committee Chairman Michael McCaul (R-Texas) on Wednesday said more needs to be done to address the cybersecurity labor shortage.
"I agree 110% that we need to strengthen the workforce" of cybersecurity professionals, McCaul said during a meeting with reporters at the National Press Club.
McCaul was referring not only to cybersecurity workers needed for U.S. government agencies, but also for U.S. businesses that control the nation's critical infrastructure, including the electric grid and electronic healthcare records. "Eighty percent of the malicious codes are in the private sector," he said.
The need to fill cybersecurity jobs has been top of mind recently because of cyber exploits like the two massive Yahoo breaches announced late last year. Also, intelligence community revelations that Russia tried to influence the U.S. elections with various cyber-exploits have galvanized some U.S. lawmakers, including McCaul.
Several experts have estimated the workforce shortage of cybersecurity workers in the U.S. -- across multiple job titles -- currently at 300,000 or more. The most recently available analysis, from the U.S. Bureau of Labor Statistics, said the shortage of such workers in 2015 reached 209,000. Globally, the shortfall of cybersecurity professionals is expected to reach 1.5 million by 2020, according to data published by the National Institute of Standards and Technology.
Despite such dire projections, there is at least one contrary point of view. A DHS official said in a blog post in November that the cybersecurity skills shortage is a myth.
For his part, McCaul plans to push for a cybersecurity agency within the Department of Homeland Security, partly to provide cyber assistance for national elections that are under state management. "DHS needs focus and resources," he said.
To fill cybersecurity job openings, U.S. companies have developed a number of strategies over recent years.
Major corporations such as AT&T have established in-house re-training of IT workers to become cybersecurity professionals. Also, AT&T has set up a rotational program so that a recent graduate can rotate through various departments at the company to become a well-rounded security expert.
"The labor shortage is a huge problem. Nobody can get enough resources," said Jason Porter, vice president of security solutions at AT&T, in an interview. "We're excited to see a bunch of colleges have launched new programs around cybersecurity, so we'll see more cyber talent. But companies are still way behind. Right now, cybersecurity is paramount. We are actively retraining our own employee base."
Over the entire company, AT&T currently has more than 2,000 cybersecurity professionals, he said. The company operates eight security operations centers globally and offers cybersecurity services to thousands of companies.
While AT&T and other major companies are trying to adjust, the security challenges are greatest for small and mid-sized companies, analysts said.
"Small and mid-sized businesses are suffering the most," said IDC analyst Sean Pike. "They don't have the money to pay for talent and not even for managed services. They are sometimes hiring inexperienced talent, like a security generalist, who will move into a specialty in a year or two. It's really difficult to attract and retain the specialists."
Pike said he's heard of security specialists moving into managerial roles in corporations who can make $250,000. One such manager moved into the vice president level and made $750,000, he said. With salaries at such high levels, smaller companies often have to resort to taking out an incident response retainer with a service provider for a year to protect against exploits.
Analysts said it isn't necessarily that there aren't cybersecurity candidates available to fill positions, but there might be a lack of candidates to fill the positions that are open at the time.
Gartner in a recent report said that there is a "war for cyber talent as organizations seek qualified candidates in an environment where demand outweighs supply." Gartner noted that the Bureau of Labor Statistics expects the demand for cybersecurity professionals to increase by 53% through 2018.
Gartner also said security budgets in U.S. companies are not increasing enough to keep up with salaries for cybersecurity professionals that have "skyrocketed."
The cybersecurity labor gap is already causing "major vulnerabilities," said Gartner analyst Avivah Litan, in an email. "Many organizations are turning to outsourced and managed security services to fill their cybersecurity skill gap, but those managed services firms are facing their own recruitment challenges since there just aren't that many skilled cybersecurity professionals to fill the gaps."