On the positive side, the current shortage of cybersecurity professionals in the U.S will likely resolve itself over the next several years as the result of recent efforts involving education, training and security awareness.
But for the time being, organizations will find it disturbingly difficult to find the skilled workers they need to defend themselves from internal and external threats, the RAND Corp. warned this week.
Not only will cybersecurity skills become increasingly costly, they will also become very hard to come by in the near future, said Martin Libicki, one of the authors of a 125-page report from RAND.
"There's plenty of evidence that there is a shortage" of cybersecurity professionals -- especially within government organizations, Libicki said. "The problem cannot be solved overnight. It will take a long time to get the right people into this profession."
The RAND report examines the nature and the source of the cybersecurity skills shortage in the U.S. and how the private sector and the government have responded to the crisis.
Demand for security professionals has skyrocketed since 2007 as the result of increased connectivity, raised awareness, more vulnerabilities and ever more hacker activity. The sudden and rapid rise in demand has led to substantial increases in compensation packages for security professionals in recent years, but that has done little to attract new cybersecurity professionals, RAND said.
"In the longer term, as long as demand does not continue to rise, higher compensation packages and increased efforts to train and educate people in cybersecurity should increase the number of workers in the field" -- putting downward pressure on salaries, it noted.
Some of the increased demand may also run counter to the underlying realities. Because of the heightened attention paid to cybersecurity, it's possible that some companies think they're at greater risk than they were a few years ago and assume they need more people.
As organizations come to better understand their true security needs, demand for cybersecurity workers may fall in the longer term, RAND said.
Here are four other takeaways from the report
Government organizations are hurting the mostThe increased demand for cybersecurity professionals has pushed compensation packages to levels that government organizations have a hard time matching. This is especially true for their ability to attract or retain top-level security professionals, Libicki said.
Government compensation is often constrained by rigid pay scales and grade levels that restrict the ability of agencies to hire the skills they need in a supply-constrained labor market. The problem is less acute for lower to mid-tier IT security pros.
"However, once professionals can command more than $250,000 a year, the competitiveness of the U.S. government as an employer suffers correspondingly," the report noted. Though special rates are often available to senior level IT specialists, the long recruitment processes, vetting and security clearance delays can discourage candidates.
Companies can pay all they want and still not find enough peopleIn the short term, the supply side of the manpower equation will not be responsive to higher salaries because there simply aren't enough professionals to go around. Since training and educating a new generation of cybersecurity workers can take years, organizations that need security skills will be hard pressed to find them.
On a positive note, the higher compensation packages offered to security professionals could begin to attract would-be hires from other areas such as engineering.
Organizations should look at alternate approachesCompanies and government entities should consider adopting more secure system architectures and best practices to reduce their dependence on manpower. Organizations spend close to $70 billion on cybersecurity annually around the world, Libicki said. If even a 10th that amount was invested in making software more secure, there would be less of need for so many cybersecurity professionals.
"We have a model that basically says 'I accept the world of software as is and I am going to patch everything at a systemic level,'" he said. It is an approach that is basically unsustainable in the long term. A company that has 600 security professionals today might require 1,000 in a few years -- and still not be secure.
Importing talent may not be a good approachA great deal of cybersecurity work is already internationalized, RAND said. For another, bringing in workers from other countries could depress wages and discourage U.S.-born professionals from entering the field. This could become a problem because foreign-born nationals will not have the security clearances required to work for many government organizations.