Insights: Article

The Cybersecurity Profession Goes Virtual to Fill Gaps

By Eric Pulse

September 25, 2017

One tie that binds businesses across the board—public and private, industry and service—can be summed up in a phrase: “chronic shortage of cybersecurity professionals.” Numerous studies emphasize that claim, like a report by Cybersecurity Ventures that states there will be 3.5 million unfilled cybersecurity jobs by 2021, up from 1 million openings last year.

Another report from Frost & Sullivan and (ISC)2 found that the global cybersecurity workforce will have more than 1.5 million unfilled positions by 2020.

To make matters worse, a poll conducted by Information Systems Audit and Control Association (ISACA) and the RSA Conference discovered that more than half of the global cybersecurity professionals polled reported that fewer than 25 percent of cybersecurity applicants are qualified to perform the skills needed for the job.

A recent survey by the SANS Institute showed that 66 percent of respondents cited skills shortage as an impediment to effective incident response and overall cybersecurity. Many security professionals maintain a general technical security skillset tasked with implementing reasonable practices and procedures driven by compliance. However, the rise in advanced threats and malware demonstrate the need for a more sophistically trained professional.

The law of supply and demand has driven up the cost of these resources and many organizations simply cannot afford them, if they are even available. Many of the clients I work with have opted to outsource security functions given the limited availability of these skillsets. Many security professionals have a general technical security skillset and are tasked with implementing reasonable practices and procedures driven by compliance. But the rise in advanced threats and malware demonstrate the need for a more sophistically trained professional.

The government has taken notice of this dilemma. Back in 2008, the Federal Chief Information Officers (CIO) Council recognized the impending problem. With the assistance of the National Institutes for Standards and Technology (NIST), this Council took the task of developing a framework to understand cybersecurity roles within the public, and subsequently, private sectors. The result of this effort was the development of the National Initiative for Cybersecurity Education (NICE) Framework as NIST Special Publication 800-181, which “establishes taxonomy and common lexicon that is to be used to describe all cybersecurity work and workers irrespective of where or for whom the work is performed.”

The framework is directed at employers (to help assess their needs), workers (to identify skillsets needed in the workforce), training and certification providers (to target knowledge, skills and abilities needed for developing courses/certifications), education providers (to assist in developing curriculum), and technology providers (to identify cybersecurity roles and skillsets relative to the services and hardware/software products they supply).

The framework emphasizes seven categories (common cybersecurity functions), 33 specialty areas (distinctions), and 52 work roles (specific knowledge, skills, and abilities required to perform tasks in a work role). The seven core categories defined in the framework include:

  • Securely Provision
  • Operate and Maintain
  • Oversee and Govern
  • Protect and Defend
  • Collect and Operate
  • Analyze
  • Investigate

These categories highlight the similarities to other information security-related frameworks (i.e. NIST SP 800-53, NIST Cybersecurity Framework, ISO 27001, SANS Top 20 Critical Controls, etc.) and emphasize best practices for information security, data protection, incident response and recovery.

Academia is continuing to add cybersecurity related courses and degree tracks. The results of increasing the number institutions providing cyber-related degrees is still delayed by two to four years. The workforce is only positively impacted if there are enough bodies to fill seats and the interest in a career in cyber is present.

Cybersecurity also has a gender problem: Only 11 percent of the world’s information security workforce are women, according to the Women’s Society of Cyberjutsu (WSC), a 501(c)3 nonprofit, focused on helping women enter, advance and succeed in the cybersecurity field. Primary education providers should focus on recruiting today’s youth into cybersecurity-related courses by placing an emphasis on it in today’s traditional STEM programs.

All of this leaves organizations competing for skilled professionals to fill much-needed cybersecurity roles. In many smaller communities, the commensurate skillset doesn’t exist.

Many of these organizations are turning to the “virtual” professional. Businesses like Eide Bailly are offering “virtual” access to existing cybersecurity professionals and services to fill the gap. For more information, check out our services.

Latest Insights

September 19, 2018
The IRS has started sending out Letter 5699 asking businesses to verify if they should have filed Forms 1094/1095-C. These forms are required for all ALEs.
September 18, 2018
As the largest tax reform legislation in the past 30 years becomes reality, it is important to stay up-to-date on planning opportunities and how reform may impact you and your business. Our Tax Reform: Practical Insights examples aim to break down…
September 18, 2018
Get ahead of tax season with the Eide Bailly Tax Planning Guide. A supplemental strategy guide to help guide year-end and make the tax laws work for you.
September 18, 2018
The SCOTUS Wayfair decision has prompted a new focus on state and local tax compliance. The decision to register, report, and comply is important.
September 17, 2018
When an IRS Letter 226J is received, it is important to respond timely and with accurate information to eliminate, abate or reduce IRS calculated penalties
September 17, 2018
Firm News
Tom Goekeler, partner at Eide Bailly LLP, has been named chief practice officer of the South Central region, which currently covers our Oklahoma and Texas offices.
September 17, 2018
The recent US Supreme Court decision that overturned Quill in the South Dakota v Wayfair case has many states making or considering law changes related to sales tax compliance for out-of-state sellers.
September 12, 2018
The Tax Cuts and Jobs Act, signed December 22, 2017, significantly impacted inbound tax planning. Non-U.S. taxpayers doing business in the U.S. will need to consider the new tax laws.
September 12, 2018
Applications have made a huge impact on our lives, allowing us to keep track of the complexities of our day-to-day and save for our futures. But it’s important to understand where we are laying our trust.