There's good news and bad on the cybersecurity skills availability front.
On the positive side, the current shortage of cybersecurity professionals in the U.S will likely resolve itself over the next several years as the result of recent efforts involving education, training and security awareness.
But for the time being, organizations will find it disturbingly difficult to find the skilled workers they need to defend themselves from internal and external threats, the RAND Corp. warned this week.
Not only will cybersecurity skills become increasingly costly, they will also become very hard to come by in the near future, said Martin Libicki, one of the authors of a 125-page report from RAND.
"There's plenty of evidence that there is a shortage" of cybersecurity professionals — especially within government organizations, Libicki said. "The problem cannot be solved overnight. It will take a long time to get the right people into this profession."
The RAND report examines the nature and the source of the cybersecurity skills shortage in the U.S. and how the private sector and the government have responded to the crisis.
Demand for security professionals has skyrocketed since 2007 as the result of increased connectivity, raised awareness, more vulnerabilities and ever more hacker activity. The sudden and rapid rise in demand has led to substantial increases in compensation packages for security professionals in recent years, but that has done little to attract new cybersecurity professionals, RAND said.
"In the longer term, as long as demand does not continue to rise, higher compensation packages and increased efforts to train and educate people in cybersecurity should increase the number of workers in the field" — putting downward pressure on salaries, it noted.
Some of the increased demand may also run counter to the underlying realities. Because of the heightened attention paid to cybersecurity, it's possible that some companies think they're at greater risk than they were a few years ago and assume they need more people.
As organizations come to better understand their true security needs, demand for cybersecurity workers may fall in the longer term, RAND said.
Here are four other takeaways from the report
Government organizations are hurting the most
The increased demand for cybersecurity professionals has pushed compensation packages to levels that government organizations have a hard time matching. This is especially true for their ability to attract or retain top-level security professionals, Libicki said.
Government compensation is often constrained by rigid pay scales and grade levels that restrict the ability of agencies to hire the skills they need in a supply-constrained labor market. The problem is less acute for lower to mid-tier IT security pros.
"However, once professionals can command more than $250,000 a year, the competitiveness of the U.S. government as an employer suffers correspondingly," the report noted. Though special rates are often available to senior level IT specialists, the long recruitment processes, vetting and security clearance delays can discourage candidates.
Sign up for MIS Asia eNewsletters.