There's good news and bad on the cybersecurity skills availability front.
On the positive side, the current shortage of cybersecurity professionals in the U.S will likely resolve itself over the next several years as the result of recent efforts involving education, training and security awareness.
But for the time being, organizations will find it disturbingly difficult to recruit the skilled workers they need to defend themselves from internal and external threats, the RAND Corp. warned this week.
Not only will cybersecurity skills become increasingly costly, they will also become very hard to come by in the near future, said Martin Libicki, one of the authors of a 125-page report from RAND.
"There's plenty of evidence that there is a shortage" of cybersecurity professionals -- especially within government organizations, Libicki said. "The problem cannot be solved overnight. It will take a long time to get the right people into this profession."
The RAND report examines the nature and the source of the cybersecurity skills shortage in the U.S. and how the private sector and the government have responded to the crisis.
Demand for security professionals has skyrocketed since 2007 as a result of increased connectivity, raised awareness, a rise in the number of vulnerabilities and an ongoing increase in hacker activity. The sudden and rapid rise in demand has led to substantial increases in pay for security professionals in recent years, but that has done little to attract new people to the field of cybersecurity, RAND said.
"In the longer term," RAND said, "as long as demand does not continue to rise, higher compensation packages and increased efforts to train and educate people in cybersecurity should increase the number of workers in the field" -- putting downward pressure on salaries.
Some of the increase in demand for people to fill security jobs may run counter to underlying realities. Because of the heightened attention paid to cyberthreats, it's possible that some companies think, perhaps incorrectly, that they're at greater risk than they were a few years ago and assume that the solution is to hire more security specialists.
As organizations come to better understand their true security needs, demand for cybersecurity workers may fall in the longer term, RAND said.
Here are four other takeaways from the report.
Government organizations are hurting the most
The increased demand for cybersecurity professionals has pushed compensation packages to levels that government organizations have a hard time matching. This is especially true when it comes to attracting and retaining top-level security professionals, Libicki said.
Government compensation is often constrained by rigid pay scales and grade levels that restrict the ability of agencies to hire people with the skills they need in a supply-constrained labor market. The problem is less acute for lower to midtier IT security pros.
"However, once professionals can command more than $250,000 a year, the competitiveness of the U.S. government as an employer suffers correspondingly," the RAND report noted. Though special rates are often available for senior IT specialists, candidates may be discouraged by the public sector's long recruiting process and the delays associated with vetting and security clearance procedures.
Companies can pay all they want and still not find enough people
In the short term, the supply side of the manpower equation will not be responsive to higher salaries because there simply aren't enough professionals to go around. Since training and educating a new generation of cybersecurity workers can take years, organizations that need people with security skills will be hard pressed to find them.
On a positive note, the higher compensation packages offered to security professionals could begin to attract candidates from other technical areas, such as engineering.
Employers should look at alternate approaches
Companies and government agencies should consider adopting more secure IT architectures and best practices to reduce their dependence on people to keep their systems secure. Organizations spend close to $70 billion on cybersecurity annually around the world, Libicki said. If even 10% of that amount was invested in making software more secure, there would be less of a need for cybersecurity professionals.
"We have a model that basically says 'I accept the world of software as is, and I am going to patch everything at a systemic level,'" he said. That approach is basically unsustainable over the long term. A company that has 600 security professionals today might require 1,000 in a few years -- and it still wouldn't be secure.
Importing talent may not be a good approach
A great deal of cybersecurity work is already internationalized, so recruiting security professionals from other countries may not solve the manpower problem, RAND said. Moreover, bringing in workers from other countries could depress wages and discourage U.S.-born professionals from pursuing careers in cybersecurity. Further complicating the equation is the fact that foreign-born nationals won't be able to get the security clearances required to work at many government organizations.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is firstname.lastname@example.org.