Jobs: Companies struggle to find skilled cybersecurity workers as attacks intensify

Key Points
  • Cybersecurity firms are having trouble attracting and keeping skilled workers to help protect networks.
  • Some 2.8 million professionals work in cybersecurity, but an additional 4 million trained workers would be needed to close the skills gap and properly defend organizations, according to one study.
  • The labor market is a challenge, and mentality among workers has shifted, with many candidates wanting to work as contractors instead of full-time staff.
4M Cybersecurity workers needed globally to close skills gap

WASHINGTON — As internet crimes and abuse stalk the globe, cybersecurity firms are having trouble attracting and keeping skilled workers to help protect networks.

Today some 2.8 million professionals work in cybersecurity around the globe, but an additional 4 million trained workers would be needed to close the skills gap and properly defend organizations, according to the 2019 ISC2 Cyber Security Workforce Study. The global nonprofit is the largest association of certified cybersecurity professionals. The data reveals that in the U.S. alone, nearly a half million workers would be needed to fill the shortage.

"The volume of attacks and sophistication of attacks from around the world continue to increase," said ISC2 CEO David Shearer. "We have nation-state types of attacks, criminal activity types of attacks and individuals that are just trying to do fraud and cybercrime. And so as these activities on the web continue to grow, there continues to be less and less of the qualified people that we need to conquer those attacks."

TDI, a cybersecurity firm in Washington, has some 70 employees in the United States and Europe working on protecting entities including the Navy, NGOs and banks. The company is looking to add 15 more cybersecurity specialists on the services and solutions sides of the business. Among TDI's employees is Mandi Ingersoll, now 40, who started her career in cyber in the Navy and now works as an analyst.

Mandi Ingersoll works as a cybersecurity analyst for TDI in Washington, D.C. nearly half a million skilled cyber workers are needed in the US to close the skills gap and properly defend organizations.
Kate Rogers | CNBC

"Back in 1998, when I first started in the Navy, I picked the IT field because I knew it was going to be up and coming," she said. "When I retired, I decided to stay with that because I already have 20 years [experience]. It's interesting because there's always something new, you're never looking at the same thing ... and this is not only critical to commercial or private sector sites, but also the federal government and military."

Finding and keeping talent

The survey finds that 65% of organizations report a shortage of cybersecurity staff, and more than a third say that skilled personnel is a top concern. Shearer says talent retention is a continual issue in this tight labor market, and burnout can occur as the number and severity of cyberattacks intensify.

"[Workers] know that they can move virtually wherever they want to because somebody out there is always going to need another cybersecurity professional," he said, adding that skilled and entry-level workers are needed as the workforce ages. "We need to have skilled people right now that can do the work but we also need to be building that cadre of the next wave of people coming in to replace those that will be retiring in the not too distant future."

Salaries can also be lucrative. ISC2's data finds the average North American salary for cybersecurity professionals is $90,000 a year and those who hold security certifications can make more. Roles vary from those working in consultation, to developers creating cybersecurity programs, to risk and compliance.

Finding and retaining talent is a top concern at TDI — the company traditionally has strong retention rates — but the labor market is a challenge and mentality among workers has shifted, with many wanting to work as contractors instead of full time, said CEO Paul Innella. Another newer phenomenon is "ghosting" where job applicants don't show up for interviews and sometimes even jobs they've been hired for.

"We are finding that folks quite genuinely will not show up, and never return your call again. We have actually found some folks who we've hired just didn't show up," he said. "I do believe there are some unique challenges we have never seen before."

An added headwind is the fact that Amazon's second headquarters is nearby in Virginia, tightening competition as TDI continues to build on its existing software product, making retention all the more important.

"It's cutting into a very limited market, particularly with software developers," he said. "So we're now battling against what is an attractive San Francisco, West Coast-based company and we as a smaller cybersecurity company are coming up with interesting ways to try and keep people here instead of going to them."

TDI is looking to recruit more female talent, recently bringing on its first female executive, Elizabeth Sutton, director of strategic programs and operations, and is actively in search of women like Ingersoll to fill cyber roles. The company offers generous benefits along with innovative training initiatives, such as the TDI Titans program, which helps workers gain additional experience and training to advance their careers. Other perks include bonuses, gym memberships and cash rewards for ideas brought to patent.

"We are trying to incentivize engineers that have ideas where we can cultivate them to become an entrepreneur, too, and hopefully help build that out with them," Innella said.