The cybersecurity industry is facing a jobs crisis. According to recent estimates, India alone requires an additional two million cybersecurity professionals in the next two years. Some put the global estimate as high as 3.5 million by 2022. Salaries are tracking these demands, with graduate level analyst positions in the US touching $100,000 per annum, the highest of any profession.
As the World Economic Forum’s Future of Jobs Report 2018 outlines, technological drivers are increasingly challenging traditional jobs and careers. Those that are charged with securing the digital revolution are scrambling for talent.
Nearly every technologically advanced state in the world is working out how to fill a skills shortage. But it is just as glib to state that we need more “cyber” people as it would be to say we need more “medical” people. With governments and corporations increasingly focused on building a Science, Technology, Engineering and Mathematics (STEM) pipeline, they are potentially excluding those with the backgrounds and skill sets required to keep pace with ever-evolving changes in technology, and to maximize its benefits.
As the report highlights, the following four very human characteristics will be the most important in the cyber arena, and in the wider Fourth Industrial Revolution.
Cybersecurity is quickly becoming one of the most important industries for artificial intelligence, automation and machine learning technology. Analyzing and defending against attacks is still a relatively manual process, akin to a Victorian factory model. Any security operations centre has a long list of processes and actions which it is seeking to automate, and ultimately make redundant. This is a good thing – jobs, not people, need to change.
Freeing up resources so people can spend more effort creatively deploying new technologies and thinking of new security use cases, and new ways of detecting, investigating and attributing threats, is where skills will be most needed.
The most difficult global challenges in cybersecurity today consist of navigating the increasingly complex regulatory and legal environment, while promoting optimum conditions for innovation and cross-border collaboration against threats. At the recent Annual Gathering of the World Economic Forum’s Centre for Cybersecurity, topics addressed involved challenging policy coordination, and blocks to international collaboration as a result of a lack of regulatory consistency.
Cyber professionals increasingly need to be alive to, and be able to navigate, a much broader set of issues than simply technical ones. These include enabling international governments to adopt standards for the collection and sharing of e-evidence which can be used in court; navigating complex data protection rules; and tackling broader geopolitical questions relating to different approaches to cyberspace across the world.
Cyber leaders of the future will face a tough challenge. They must balance an understanding of increasingly complex technical systems, and how they and their users interact with them, with the management of an increasingly diverse global workforce operating in local markets and cultures. This will be made up of people who possess a hugely various range of skills and aptitudes, from those who manage the technical deployment of new types of infrastructure and analytics to those who pave the way in the development of complex regulation and new government partnerships.
Cybersecurity managers will need to support ways of working that get the best out their technical staff, while engaging across multiple levels in their business, as security becomes more integrated across entire organizations.
Investigation of cybercrime is difficult. New systems and technologies, such as offensive artificial intelligence, will make it even harder. Attribution and prosecution remain the critical gap in building effective deterrence models. In the UK last year, over 50% of all recorded crime was internet-enabled, but there were less than 50 prosecutions under the Computer Misuse Act. Being able to think critically about how criminals will use new technical systems to conduct attacks, and therefore what partnerships and analytics are needed to be able to defend against and ultimately prosecute them, will require a distinctly human approach.
While cybersecurity will require technical awareness and hard skills, we should embrace the fact that technological developments will mean that a number of the more ‘process-related’ technical jobs will become obsolete. Instead, a premium will be placed on the need for ‘human’ skills to help us address new challenges and approach them in ways machines simply cannot. Ultimately, we need to harness technological advances in order to support a more creative response to some of the most complex issues facing the world today.
There are strong signs that employers are realizing the need for broader skill sets in the cyber workplace. For example, the recent GISW study found that 33% of cybersecurity executives came to the field from non-technical careers. However, there is still significant work to be done. A more diverse cyber workforce must be encouraged, particularly in relation to gender, and it must become easier for those with non-technical backgrounds to understand the significant impact they could have in this ever-expanding industry.