A serious shortage of cybersecurity experts could cost companies hundreds of millions of dollars

  • Cybersecurity has become a major priority for organizations looking to protect themselves against the massive cost of data breaches — but there's an international problem hindering that goal.
  • There are 2.93 million cybersecurity positions open and unfilled around the world, according to non-profit IT security organization (ISC)².
  • Without trained security staff, organizations don't have the capability to deploy the right controls or develop security processes to detect and prevent cyberattacks, an expert explains.
ISRAEL-ELECTION-INTERNET-BOTS
Jack Guez | AFP | Getty Images

Attempted cyberattacks are no longer an "if," but a "when." And, for many companies, hackers will win.

In the first half of 2018 alone, more than four billion records were compromised to data breaches.

That comes at a heavy price, according to a 2018 study by IBM and the Ponemon Institute. The average data breach cost companies $3.86 million, the study found, and large-scale breaches can hit $350 million.

Against that backdrop, companies are eager to hire cybersecurity experts to guard against those risks. The problem: There aren't nearly enough people who can fill those roles.

The demand for skilled security professionals is one of the biggest challenges facing the cybersecurity industry today, with 2.93 million positions open and unfilled around the world, according to non-profit IT security organization (ISC)².

Without trained security staff, organizations don't have the capability to deploy the right controls or develop specific security processes to detect and prevent cyberattacks, according to Jon Oltsik, senior principal analyst at IT research firm Enterprise Strategy Group. On top of that, current employees face the challenge of an ever-shifting industry.

"I always say that cybersecurity professionals are like physicians, in that they have to spend ample time studying the latest research and threat intelligence," said Oltsik

A pipeline problem

Ten years ago, organizations typically left cybersecurity responsibilities to a handful of general IT staff. Then, cyberattacks were conducted by "amateurs who were doing it for fun," said Heather Ricciuto, IBM Security's academic outreach leader.

With the introduction of more internet devices such as cloud-based systems into corporate operations, companies were opened to attacks on a growing range of fronts.

As that change took place — and attacks grew in sophistication — organizations realized they need help. The resulting rush for cybersecurity talent depleted the market, and the amount of new specialists coming out of schools and training programs has not kept up, Oltsik told CNBC.

"There is more demand for talent, and not enough talent out there," Oltsik said.

The lack of resources at an educational level is a significant contributor to the shortage, IBM experts said.

While hands-on, technical skills are the most sought-after by employers, many schools lack trained teachers or course materials in cybersecurity — depriving students of the opportunity to pick up critical skills required of cybersecurity professionals today.

For years, cybersecurity was not a common area of study and there weren't a lot of programs focused on it, Ricciuto explained. In fact, a 2016 survey from Raytheon found that 62 percent of students from 12 countries said that a career in cybersecurity had never been mentioned to them by their career advisor or teachers.

People are the 'weakest link'

A lack of cybersecurity staff can also increase the risk of other employees' errors — which has long been touted as one of the largest cyber risks for businesses.

"What we hear from experts is that the human is the weakest link in cybersecurity. Humans are not perfect and they can easily be tricked," said Cassy Lalan, a spokeswoman for IBM Security.

That is, experts say the easiest way for hackers to access a company's systems is from the inside, through untrained employees.

Without the appropriate level of cybersecurity skills training, non-technical employees are more vulnerable to so-called social engineering tactics, such as phishing emails, which capitalize on ignorance and negligence. That allows hackers to gain an initial foothold in a company's data system.

As employees unknowingly fall for such traps, that adds to the workload of the cybersecurity staff — which may just further compound the problem.

"When the cybersecurity team is busy putting out fires, they don't have enough time to develop training courses, work with business units, or educate the workforce," Oltsik said.

Bridging the gap

At the end of the day, experts said, the solution to companies' cybersecurity problems will mean finding a way to recruit more skilled professionals.

Ricciuto said companies should focus on opening up the scope for cybersecurity education and hiring: The key is to focus on skills and not degrees alone.

"(IBM is) looking for people with non-traditional backgrounds for security. We have a number of people with backgrounds in music, political science that you might think are unrelated to tech — but they bring a whole different perspective to the table," she said.

People who really succeed in this industry have a combination of knowledge and technical skills, Ricciuto added.

Both the cybersecurity industry and national governments will have to be intentional in their efforts to develop the talent pool, according to the IBM expert.

"Honestly, we're all at risk. Whether you're talking about a large enterprise or an individual, the risk is not limited to any particular class of individual," she said. "It's important for industries, governments, NGOs to work together because nobody can do it alone."