Indeed recently published an article on the 'Global Cybersecurity Skills Gap' in which they discussed the continued lack of supply of skilled computer security professionals. The article estimates a current 1 million person gap in skilled security workers worldwide, which is predicted to increase to 1.5 million by 2019. In the age of computer commoditization and information globalization, that we need more people to secure and protect our increasingly mobile flows of information is not a huge surprise. 

What is surprising from the graphic above is that while security position demand is exploding across the world, and given underemployment in most industrialized nations where it is, that 'interest' in cyber security positions still does not meet demand. Why are more people not flocking to security positions given the demand and the persistent levels of unemployment in the young, educated worker category?

The chart above, from a Marketwatch story on college graduates and job quality, shows that college graduates struggle to find 'college quality' jobs when they enter the workplace. While within a few years they do find work, a significant portion (over 40 percent) are still struggling to find positions that meet their educational qualifications after 4 years of trying. Further, college grads often move into fields that are not related to their majors and not necessarily their first choice of job. Why the job dislocation for young graduates, you ask?

Here are two charts that illustrate the trends in employment rates by age group, from a study at Advisor Perspectives. 

The influx of experienced, over 65 workers has largely affected the prospects of college age workers, but so has the increase in female participation. Not laying blame at those two groups; the more broad observation that inclusiveness in the workplace, automation affecting previously 'held by human' roles, plus globalization of talent pools has created a gap in the amount of highly educated workers that are needed, where, and in what fields. Perhaps this is why college graduates recently said that getting a college degree was worth the cost. A very significant portion are not seeing the benefits, either immediately after graduation or even an additional 4 years after for their hard work in their chosen field. The career path bar has effectively been redefined and raised at the same time for the younger generations compared to what their parents and grandparents experienced in their younger years. 

Back to security jobs. If there are people who are skilled and need college level work, why can't at least some of the current college graduate gap be addressed by moving smart people into the security fields, at least as entry-level analysts, and in many cases as senior analyst types who translate the technical language to the management side for better risk management decision making? As a security worker, I can attest the latter is one of the most underdeveloped positions within the security industry. 

While companies seemed to have poured security budget dollars into products and tools, the failure of companies to develop existing technical and managerial talent into security professionals is a critical failure that hampers the effectiveness of the best tools and processes. It has been a primary focus of companies for years to develop their overall talent because good people deliver better processes and tools and maximize efficiency and effectiveness. This idea, however, doesn't seem to have caught on in the security field. 

Looking out at the job market for cyber professionals, one sees many position postings looking for a diverse set of skills. Drilling down into the details of the position requirements reveals the problem. Employers are asking their job applications to already possess every possible skill related to their job so they are 'ready out of the box' to apply their knowledge. This occurs because of the scarcity of dollars for human resources provided to security teams where any lack of any critical skill in ample supply could lead to the perceived failure of security organizations to serve company needs. This perception can actually lead to a reduction in security spending - it is harder to argue budget increases when past production has not met targets, regardless if those targets were really reachable.

Rarely, however, do candidates possess the exact mix of skills and systems knowledge needed to match a given company's requirements. This is in large part due to the lack of standardized application and system delivery models. Every company's systems are different, therefore no person will likely have the diversity of skills already baked into their resume to match an employer's needs. The pace of technological innovation required to compete in the global marketplace increased so quickly that timely standardization is an almost forgotten concept. Those that can innovate the fastest will prosper while those that rely on existing process are likely to perish, and perish quickly. Therefore, instead of matching specific skill inventories where those inventories are changing so fast they cannot be permanently defined, codified, and cultivated, perhaps there is a more effective approach at recruiting talent. 

More likely, each candidate possesses certain *attributes* that would be valuable to the security team in many different organizations. For instance, employees who have good investigative skills and a knack for understanding technology would make great incident response investigators. But there are not enough experienced incident response investigators to go around. So why don't companies look for the attributes of a successful incident response investigator, and develop them internally? The risk is that as soon as an employee is sufficiently trained and has gained a few years experience, they will get paid more somewhere else and take their skills with them. This has always been a risk in any position; however, and is not new to security. Employee retention for in-demand jobs is high, and security is no exception. Eventually, as more positions are filled, the monetary awards for switching employers will lessen and it will be more about tenure, commitment, and personal soft-skills development, as it is in other fields. Further, as the pace of innovation increases, those who have the right attributes to take on new concepts will prosper over those who are dependent on specific technology skills which may become less relevant and useful over time. 

The bigger issue is how to keep identifying the right attributes of successful security analysts, researchers, managers, and compliance auditors so that a pipeline is built to service company needs. Very few companies have adequately identified proper succession plans for their security teams as they have for their more traditional positions in accounting, marketing, IT, manufacturing, and management. Further, studies continue to indicate that budget limitations for security teams continues to be a pervasive industry issue that hampers the ability to staff and implement critical security functions and keep them growing along with the companies they serve. It is high time that security professionals are planned and budgeted as well as other important roles. 

This does not bode well for individuals and companies wishing to protect their valuable systems and data. It does, however, increase the value of effective solutions being brought to the market by companies in the cyber security space. The problem is that tools don't do much actual good unless people are there to integrate them into effective processes and also analyze and act upon the data tools provided. Without people, tools don't mean much and quality processes don't get built consistently. 

From an investor's perspective, what does this mean? It means that while investment in things will continue to grow, investment in developing people in security roles remains a relatively underdeveloped frontier. If you are interested in a security profession, putting those dollars you may have spent in a stock or bond fund (or better yet commodities and productive real estate) may be better spent on developing yourself and capitalizing on the security professional gap. It is one way, especially if you are a young educated graduate, to maneuver yourself into a better position of finding a good paying 'college quality' job. The expected return will be higher in the short run as it will provide more discretionary income for traditional market investment later. 

If you are an experienced worker, identifying whether you have the right attributes for the various security professions could help you push past any ceiling you may have reached in your current position offering less job growth. But you may have to invest in some basic technology skills development to prove you can survive in a technical field. I wouldn't focus on this on your resume, but rather focus on your problem-solving skills and soft-skills while moving into one of the aforementioned analyst roles that translates technical speak into effective management risk identification and decision-making. 

For those who have not gone to college, I will offer the radical idea of skipping traditional 4-year education entirely while focusing on those courses that will develop much needed entry-level technical acumen and attributes for a successful security practitioner. That and taking internships and entry level tech jobs to build a resume will go a longer way than an unrelated degree in history, English, or the social sciences. Believe it or not, some of the best technical workers I have come across in my career started in one of the liberal arts in college before moving over. They largely don't attribute their success to their formal college but rather to their ability to analyze and think on their feet. Once a secure footing in the security field is established, many employers offer programs to help pay for traditional college if that is a requirement to stair-stepping into higher levels of management. 

As for market investments, my suggestion is to look for firms that spend a significant portion of their revenue either training, identifying, placing, or enabling security workers. I believe this to be one of the best growth investments in the next decade until the cyber skills gap has shrunk significantly. 

Further, I would expect investment in security products (tools) to continue to increase in a logarithmic fashion, at least until the perceived risk of losing critical information is about even with the risk of spending too much time and resources to protect it. I think we are still a long ways off from reaching this equilibrium point between safety of information and the over-burdensome cost to protect it. When stories appear declaring that the security spending far exceeds the costs of security incidents, then we know we have reached that point. However, tools spending will plateau long before spending on talent development will. In fact, talent development will always attract dollars on a consistent basis as talent is needed to develop, implement, and interpret data from security tools and systems. 

Right now an investor can almost throw a dart at security investments and have a reasonable chance of not losing their money, excepting some firms who lose their focus along the way. Most investments that centralize management, increase transparency and relevancy in management reporting, and provide flexible deployment models for security processes and tools will do well going forward. Those that fail to see trends in computer and network function virtualization and do not provide scalable customizable security solutions will fall behind. Those that recognize the importance of people in the process, and further provide for people-centric development of security processes will be the most successful. Conversely, those companies that focus on just the bits and bytes of the security problem will eventually fade away into the annals of security history.