maxoidos - Fotolia

What are the root causes of the cybersecurity skills shortage?

SearchSecurity talks with David Shearer, CEO of (ISC)2, about what is -- and isn't -- contributing to the cybersecurity skills shortage in the U.S., as well as how to fix the problem.

What's causing the cybersecurity skills shortage in the United States?

While some believe the shortage of cybersecurity professionals can be attributed to a lack of students earning degrees in science, technology, engineering and mathematics (STEM), David Shearer has a different view. Shearer, CEO of the International Information Systems Security Certification Consortium, or (ISC)2, believes the issue has more to do with how information security is viewed as a profession.

At the (ISC)2 Security Congress in Austin, Texas, last fall, Shearer took part in a panel discussion on the cybersecurity skills shortage with other industry figures, such as Deidre Diamond, founder and CEO of infosec staffing and recruiting firm CyberSN, and Don Freese, deputy assistant director of the FBI and former head of the bureau's National Cyber Investigative Joint Task Force.

SearchSecurity talked with Shearer following the panel and asked him about his views on the cybersecurity skills shortage and whether or not the ongoing string of high-profile data breaches has negatively impacted the image of the infosec profession. Here is his answer.

David Shearer: I think there is always going to be a certain percentage of people that look at the profession negatively and feel like they're going to be a scapegoat when things go wrong.

Let's just take any type of area where there's high risk and sometimes a perceived low reward for the amount of risk that's there. The people that tend to throw themselves into these types of areas, those are the people that are out there who say, 'I'll take the risk because I think I can make a difference. I think I can do this.'

A good example of that is Kevin Charest on the (ISC)2 board, who is in the healthcare arena. He is one of those people who wants to take on the tough challenges of turning around or enhancing a healthcare security program. What we need is more people to do that, but I think there's a certain put off to it.

It's the same thing that [FBI Deputy Assistant Director] Don Freese said during his keynote. He said we're seen as the people that say no to everything and thwart innovation. Well, how appealing is that?

That [was] the issue I was talking about on the panel to explain that the cybersecurity skills shortage is not a STEM issue. Does the United States have a STEM problem? Yes, we do. But that's not what's happening here with the cybersecurity skills shortage.

You have a region that puts out more STEM candidates than the United States since 1995, being the Asia-Pacific region, and the numbers [for the workforce shortage] are almost exactly the same. You go to colleges and universities and you could walk into almost any engineering discipline, including computer science, and most of those folks have no training on cybersecurity. It's starting to change, but maybe not for the right reasons.

Those colleges and universities -- and everyone else -- want to get into the cybersecurity game because they see the dollars and cents that are being spent on it. But now that they have curriculum within the university, a smart person might pepper in something more. I mean, we have a CSSLP [Certified Secure Software Lifecycle Professional] certification that's for secure software, and I believe that we either need to modify that certification or have another one that's not just software.

Look at the engineering that goes into manufacturing an automobile or public transportation. It's electrical, it's mechanical, it's software and it's chemical engineering. We need to be raising that at the design and engineering phase across those disciplines. They at least need to have Cyber 101 and say, 'When you're using your creative juices at the inception stage, be thinking about how we put secure products out.'

Dig Deeper on Careers and certifications

Enterprise Desktop
Cloud Computing