Hackers' Path Eased as US Cybersecurity Jobs Sit Empty
The war for talent has been well-telegraphed throughout the country, but it's particularly acute in cybersecurity.
April 01, 2022 at 02:16 PM
6 minute read
President Joe Biden has urged U.S. companies to "harden your cyber defenses immediately" amid a growing risk of Russian cyberattacks. For many, that won't be easy.
The war for talent has been well-telegraphed throughout the country, but it's particularly acute in cybersecurity. And it's only worsened as competition in the broader labor market has heated up, heightening both companies' potential vulnerability to hackers and the urgency to boost the workforce.
About 1 million people work in cybersecurity in the U.S., but there are nearly 600,000 unfilled positions, data from CyberSeek shows. Of those, 560,000 are in the private sector. In the last 12 months, job openings have increased 29%, more than double the rate of growth between 2018 and 2019, according to Gartner TalentNeuron, which tracks labor market trends.
"The crunch for cybersecurity talent has definitely gotten a lot worse," said Jamie Kohn, human resources research director at Gartner Inc., a tech research and consulting firm. "We thought we had five years maybe to get those professionals in the door, and now we're trying to do it overnight."
Workers with the technical skills required to respond to cyber threats were already hard to come by before the COVID-19 pandemic forced employees to work from home. But a confluence of events ratcheted up demand even more for positions such as software developers, vulnerability testers, network engineers and cybersecurity analysts.
With so many employees using their home networks and computers, phishing attempts soared, as did ransomware attacks on businesses, schools, hospitals and other organizations.
A ransomware attack on Colonial Pipeline Co. resulted in Americans' panic-buying fuel, leading to supply shortages on the East Coast last May, while other high-profile incidents were attributed to hackers supported by U.S. adversaries. In December 2020, for instance, investigators revealed a cyber-espionage campaign in which state-sponsored Russian hackers exploited software made by SolarWinds Corp. to infect some customers. Moscow has denied involvement in the matter.
"There are times within cybersecurity when the market even grows faster and when the demand is hotter and I believe we kicked off one of those cycles with SolarWinds," said Bryan Palma, chief executive officer of Trellix Corp. "Now we have the Russia-Ukraine conflict. We're seeing cybersecurity grow faster than the normal 16% each year, which therefore is driving the need for even more skills and professionals in that area."
The cyber worker shortage is a particular problem with smaller organizations, everything from municipalities and law firms to hospitals and businesses, that can't offer high enough pay to attract high-skilled workers, said Max Shuftan, director of mission programs and partnerships at the SANS Institute, a cybersecurity training organization.
"Most civilian public agencies can't pay what the public sector can," Shuftan said. "At the same time, small businesses — companies that aren't in an industry that you'd normally worry about this — they're probably not going have the staff and that makes them more vulnerable to attacks."
Last year, ransomware attacks affected the operations of organizations, including a San Diego hospital system, a nationwide payroll provider and the office network of the Illinois attorney general.
"Our critical infrastructure, our way of life is really under cyber assault all the time," Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency said during a speech in mid-March. "And our current geopolitical crisis is only exacerbating this threat."
If Americans don't do something about it there will be 3.5 million unfilled cybersecurity jobs by 2025, Easterly said, apparently citing a figure from Cybersecurity Ventures, a research organization.
The Department of Homeland Security rolled out a new system for hiring cybersecurity personnel in November that would allow federal cybersecurity workers to make as much as $255,800, equivalent to the salary of Vice President Kamala Harris. The new pay scale system was created to help the DHS compete for talent, according to the DHS.
The cybersecurity industry also isn't immune to the broader macroeconomic trends that are upending the labor market, including a desire for remote work, flexible hours and higher pay. Trellix, for instance, will adopt a hybrid model in which employees balance remote work and work from offices.
In 2020, the annual mean wage for information security analysts was $107,580, almost double the mean for all U.S. occupations combined, according to data from the Bureau of Labor Statistics.
"The competition is real, the great resignation is real, it's definitely a day-to-day battle." Palma said. "And compensation is a part of that." Since the pandemic began, Trellix has grown its overall staff by 5%, but the company is still trying to grow by another 10% or more.
Because cybersecurity skills are in such high demand, workers have room to negotiate and can jump from one company to another relatively easily. But hiring cybersecurity professionals from another company doesn't address the underlying issue: that there aren't enough qualified workers, said Stuart Madnick, professor of information technologies at the MIT Sloan School of Management.
Countries such as Russia, China and Israel that have compulsory military service have a better talent pipeline of qualified individuals who have been trained in cybersecurity at the government level, according to Palma. He said he's been communicating with members of Congress to create a AmeriCorps-type program specifically for fostering cybersecurity talent because there aren't enough Americans being trained via government service.
Other efforts to increase the talent pool include implementing cybersecurity courses in high schools, offering workshops to lower-level IT professionals, running training in rural regions and dropping degree requirements in favor of aptitude tests. Automating some security-related tasks could also be a solution to the hiring problem.
"We have a massive shortage of security experts on the planet, and we want to automate so much of the talent and capability," Kevin Mandia, CEO of Mandiant Inc., said in a briefing with reporters in early March. "That's all software's ever been is the automation of human process."
But none of those solutions are immediate, and the threats are.
"The worst is yet to come," said Madnick of MIT. "Not just because things have been getting worse and worse each year, but we've concluded that the disruptions we see are nowhere as bad as they could've been. We think in many cases these were test runs."
Olivia Rockeman reports for Bloomberg News.
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllBig Law Practice Leaders 'Bullish' That Second Trump Presidency Will Be Good for Business
3 minute readBig Law Leaders, Dealmakers Optimistic About M&A Deal Flow Under Trump, With Caveats
5 minute readLaw Firms Mentioned
Trending Stories
- 1Infant Formula Judge Sanctions Kirkland's Jim Hurst: 'Overtly Crossed the Lines'
- 2Trump's Return to the White House: The Legal Industry Reacts
- 3Election 2024: Nationwide Judicial Races and Ballot Measures to Watch
- 4Climate Disputes, International Arbitration, and State Court Limitations for Global Issues
- 5Judicial Face-Off: Navigating the Ethical and Efficient Use of AI in Legal Practice [CLE Pending]
- 6How Much Does the Frequency of Retirement Withdrawals Matter?
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250