Is there a shortage of information security professionals?

I just read "A Human Capital Crisis in Information Security," a report written by the Center for Strategic & International Studies. It says that it's a "Report of the CSIS Commission on Cybersecurity for the 44th Presidency."

This report paints a fairly dire picture of the lack of skilled information security professionals and what the implications of this shortage might be. Here's how this report describes this problem:

A critical element of a robust cybersecurity strategy is having the right people at every level to identify, build and staff the defenses and responses. And that is, by many accounts, the area where we are the weakest. According to interviews conducted with Jim Gosler, NSA Visiting Scientist and founding director of the CIA’s Clandestine Information Technology Office, there are only about 1,000 security specialists in the United States who have the specialized skills to operate effectively in cyberspace; however, the United States needs about 10,000 to 30,000 such individuals.

The problem is both of quantity and quality, especially when it comes to highly skilled “red teaming” professionals. We not only have a shortage of the highly technically skilled people required to operate and support systems already deployed, but also an even more desperate shortage of people who can design secure systems, write safe computer code, and create the ever more sophisticated tools needed to prevent, detect, mitigate and reconstitute from damage due to system failures and malicious acts.

The cybersecurity workforce to which we speak in this report consists of those who self-identify as cybersecurity specialists as well as those who build and operate our systems and networks. That workforce includes not only workers on government payrolls, but also those contractors who operate as part of the extended government workforce. It also includes those who build and maintain the critical infrastructure on which the public and private sectors have come to rely.

But I have to wonder how accurate this really is.

Are there really only 1,000 people for which there are between 10,000 and 30,000 jobs? The law of supply and demand tells us that market forces would correct this problem fairly quickly: if there's really a shortage of that many people then employers would increase what they pay information security professionals until they get enough of them. And because I don't see a dramatic upward trend in salaries for information security jobs, I'm left believing that there's probably no real shortage of people for these jobs.  

Leave a Reply

Your email address will not be published. Required fields are marked *