The state of the cyber security field, for both the public and private sectors, remains uncertain. Almost every advancement in the arena of firewalls and malware countermeasures is met with a corresponding move by hackers, cyberterrorists and other malicious actors in the digital space, much like the ongoing push-pull dynamic between law enforcement and high-level players in the illicit drug trade. Skilled information security (or “infosec”) professionals work tirelessly to stay one step ahead of cybercriminals, but the frequently equivalent determination on the other side of the law means that it’s never clear how long IT and infosec personnel will retain such an advantage if they successfully establish it.
A deficiency in the number of dedicated professionals trained and experienced in preventing some cyberattacks and mitigating the damage from those they can’t prevent stands out as a major factor behind the various cybersecurity problems that companies all over the world currently face. As a result, there may be no better time than now for prospective graduate students who are passionate about the rapidly evolving world of computing to further their education with a master’s degree in cyber security, in the hope of filling these open positions soon.
With that in mind, it’ll be helpful to take a closer look at the personnel shortage and the various circumstances surrounding it:
How staff shortages develop
According to the 2017 State of Cyber Security report by the Information Systems Audit and Control Association, the shortage of cyber security professionals throughout the business world does clear and measurable damage to these enterprises. Failures to address this deficiency have also contributed to a phenomenon called “security fatigue,” in which workers view cyber security as a problem that can’t be solved and become indifferent to it – a total self-fulfilling prophecy.
The most concrete issue behind this employee shortage and its persistence is a lack of qualifications among those who show an interest in it. ISACA’s queries to enterprises looking to fill infosec positions bore out that 59 percent of respondents received five applicants for every open position – but according to 37 percent of these business leaders, less than 25 percent of them are qualified. A majority of these companies stated that experience in the field is most important to them in terms of qualifications, ahead of both cyber security organizational certifications and professional degrees.
While the latter might make one question the necessity of a master’s in cyber security, consider this: These companies’ current preferences aren’t netting them the proper number of qualified applicants, and at some point, the other shoe is bound to drop.
Furthermore, it often takes companies a long time to fill open cyber security jobs. While 45 percent of respondents to the ISACA report stated that it took two or three months to bring in new talent for these positions – with 30 percent of that 45 saying three months – 26 percent said it took 6 months, and 6 percent haven’t been able to make these hires at all.
Outsourcing becoming more common
These and other difficulties companies are facing when searching for experienced IT and infosec personnel could be what is leading some of them to outsource their cyber security needs. According to the Cyber security Trends Report of 2017, a wide-ranging look at the industry overseen by Holger Schulze, head of LinkedIn’s Information Security group, and sponsored by Raytheon, Alert Logic and others, outsourcing is taking the place of in-house cyber security departments in many cases.
The most frequent reason for outsourcing cyber security to managed security services providers and similar organizations was a lack of the resources and expertise necessary to internally handle such tasks, mentioned by 39 percent of organizational leaders questioned as part of this report. Saving money and having the ability to monitor security 24/7 were the next most common reasons, with 36 percent and 31 percent of respondents citing them, respectively.
As one might expect, security expertise is the most valued quality of a cyber security third-party partner, according to 71 percent of company leaders. Managed security services firms are being enlisted to handle responsibilities including:
- Penetration testing, which can involve software that analyzes a company’s security system to find weaknesses, a simulated cyberattack or a full-blown hack – albeit a white-hat hack, conducted to literally demonstrate how such a breach could occur.
- Intrusion detection or prevention services.
- General security monitoring.
- Security information and event management, providing thorough analysis of security alerts.
Increases in the outsourcing of such services may actually be beneficial in the long run to grad students considering a master’s degree in cyber security.
We’ve established that a shortage of talented cyber security professionals exists. And for any number of reasons – ranging from the difficulty of finding qualified candidates to a sense of burnout regarding security – businesses and organizations aren’t champing at the bit to build in-house IT and infosec departments. But instead of looking to be the primary overseer of a company’s cyber security system, perhaps working for a managed cyber security services or SIEM firm might be better for you.
The urgency of cyber security is well-understood at this point. Thus, there will always be a need for those who help provide it, regardless of whether you work in-house as a security expert or help a third party firm bring managed security services to a wide range of clients. Additionally, the Bureau of Labor Statistics notes that infosec professionals earned median annual salaries of $90,120 in 2015, and the growing need for security and documented staff shortage mean that figure is most likely to increase in the near future.