An Edmonton-based company began advertising this month for a global security architect.
The winning candidate, to earn between $90,000 and $105,000 a year, will be responsible for developing and building infrastructure security solutions for the firm, as well as managing and running its international security operations.
Among the skills demanded, applicants have to show “demonstrable expertise on architecture and operations of large globally spread infrastructure environment,” have eight to 10 years of “progressively more responsible work in this field,” have at least one of a set of certifications such as the CISSP, have experience in securely migrating solutions to the cloud, and have the ability to estimate the financial impact of risk mitigation.
The odds of the company finding a candidate with all those skills (and more not listed here) within the price envelope aren’t good. Organizations of all sizes find they need to throw more IT resources to meet the increasing number of online attacks. And while automation is part of the solution, hands are needed as well for everything from configuring hardware to analyzing threat data.
“Based on the primary research we’re conducting with the industry, there seems to be a pervasive shortage of cybersecurity professionals,” says Sam Bourgi, senior analyst at the Information and Communications Technology Council (ICTC), a not-for profit that advises governments and industry on technology and the labour market.
“The general trend in Canada is that about 30 per cent of IT employers are having a hard time hiring IT workers. That also applies to cybersecurity.”
There’s anecdotal evidence that new trends including big data, cloud computing and mobile computing is compounding the problem, he added, because these need new IT security competencies, “and a lot of these skills really aren’t met here.”
Based on international surveys, he added, there’s evidence that the global shortage of cybersecurity professionals is pushing up salaries.
Demand is “right across the board” for all IT security-related positions, says Nathan Wawruck, who manages the Vancouver branch of Robert Half Technology, a recruiting firm. For those with certifications “the prospects are quite bright.”
The shortage is “really one of the top concerns of our members,” says David Messer, senior director of policy at the Information Technology Association of Canada (ITAC), which represents the IT industry.
“There are a number of us in the Ottawa area trying to address the shortfall,” says Michael Quinn, president of the Ottawa chapter of Information Security Systems Association (ISSA), senior director for security and privacy consulting at the accounting firm Raymond Chabot Grant Thorton who also teaches IT security part-time at Algonquin College.
“We know there’s demand and we know there’s a lack of young students and good, timely, localized training in some of the security domains.”
Quinn said an informal Ottawa group is still in the early stages of trying to understand the demand for IT security pros and how best to address it: Through university or college courses for students, or creating a new institute for training students and/or those already working.
One problem is it isn’t clear how many people are needed and in what specialties — in fact it isn’t even clear how many are employed here in cybersecurity.
Bourgi says Ottawa estimates there are about 200,000 “information system analysts” — which covers a wide range of IT security-related positions — in Canada.
The ICTC takes a narrower definition (for example, it doesn’t include managers) and estimates there are about 12,000 infosec professionals in Canada today. The council also figures roughly 2,000 more will be needed by 2019 — at a time when demand for skilled cybersecurity people is up around the world.
This is a conservative estimate, adds Bourgi. A more precise number may be available later this year when an ICTC detailed study of the demand for cybersecurity talent here is finished.
There’s no shortage of courses for churning out entry-level potential employees: SERENE-RISC, a network of cybersecurity academics and public and private sector experts based at the University of Montreal, compiled a directory last year of 450 IT security-related courses at 60 Canadian universities. That doesn’t include courses and certificates offered by colleges, vendors, institutes like the ISC2, Learning Tree, the EC Council, the SANS Institute and many others.
ITAC also runs a program at 19 institutions which adds IT courses to business curriculums at 19 institutions across the country training 3,000 students a year who have business and technology degrees. Working with SERENE-RISC last month the program added five specialties, one of which is cybersecurity.
It’s not enough, says Benoit Dupont, SERENE-RISC’s scientific director. Universities need to offer degrees in cybersecurity, he said. Only Montreal’s Concordia University offers a masters degree in information security, he said, but it is only graduates 50 students a year, “when we need thousands.”
Universities and colleges may not be early enough for talent-spotting. ITAC’s Messer noted some countries, such as Israel and the United States, have programs aimed at high school students that we should emulate.
For example, the U.S. Air Force Association, a veterans’ lobby group, sponsors a National Youth Cyber Education Program, dubbed CyberPatriot that includes a problem solving competition for high school teams, CyberCamps and an elementary school cyber education initiative to encourage cybersecurity careers.
In the U.K. a public and private sector group called the Cyber Security Challenge sponsors a Cyber Centurion team-based cyber security contest for 12-18 year olds.
However in Canada there’s only the Cyber Defence Challenge, a team-based competition offered mainly in Manitoba high schools. Organizers are ICT volunteers and members of the Winnipeg branch of the Information Systems Audit and Control Association (ISACA).
ICTC has a Focus on IT program in some high schools across Canada to show Grade 11s what careers in IT are like. But it’s not focused on cyber
“We don’t have a national program looking to get young people interested in cybersecurity careers and identify those students who have a real aptitude to be those super-experts,” says Messer.
However, Richard Zaluski, a Canadian and CEO of the London-based Centre for Strategic Cyberspace and Security Service, which advises organizations on cybersecurity strategy, suspects the real problem is a shortage of experienced infosec personnel.
One solution is to insist computer science students serve month-long internships every semester to gain practical experience, he said. Ultimately, he adds, organizations to keep doing what they have been for years: On the job training, through experience and underwriting staff to take courses.
“When they talk about a shortage of cybersecurity professionals, the key word is professionals. You can be a plumber, but you serve your apprenticeship first, and then you’re a professional plumber.” That’s why enterprises “need to have a training budget that’s realistic,” he adds.
There’s the other side to all this demand, at least for experienced infosec pros. “There’s probably not a better time to be a security professional in Canada than right now — at least financially speaking.” says Ajay Sood, general manager of FireEye’s Canadian division. The quality of university and college IT training is improving so that graduates are being snapped up, he said — and they understand the Internet, social media, the Internet of Things better than “us old guys.”
So while experienced cybersecurity personnel are few and far between “the right attitude and the right mindset is going to differentiate organizations in a competitive landscape.”
Utlimately, until supply meets demand money talks. “If you’re a very wealthy company or have lots of resources you can probably also offer very competitive packages and attract top people.” says SERENE-RISC’s Dupont. “So market forces will prevail. But the problem this creates is only the best endowed companies will be able to afford cybersecurity experts. That also a problem because it creates a drain on cybersecurity people in government, so it’s hard for government to keep those people long enough after they’ve been trained … “All the others will have to find stop-gap solutions,” such as automation “but that’s a bit of wishful thinking because there are a number of things machines can’t do.”
It will require the private sector, provincial education ministers and university presidents to sit down to find a solution, he said. “This is a mess, but it is also an opportunity if we manage to transition to this new reality and produce the talent we need.”