HomeTechnology and Security, CIO

Closing the cybersecurity skills gap

Employee skills – not traditional college degrees – are the focus of a "new collar" approach to hiring IT professionals.

Download the full reportDownload the infographic

There is continued high demand for cybersecurity professionals and an ongoing shortage of talent. Organizations are pursuing numerous ways to close the talent gap in both the short and long term – including new university programs, technical and vocational programs, apprenticeships, certifications, early education and government programs. IBM believes many cybersecurity jobs can be filled through a “new collar” approach that involves tapping professionals who may not have a traditional college degree but do have the needed technical skills and aptitudes.

An organization is only as good as the people that are part of it. For cybersecurity leaders, the challenge of recruiting and retaining the best technical and business professionals is a constant worry. Frost & Sullivan predicts that the growing gap between available qualified cybersecurity professionals and unfulfilled positions will reach 1.8 million by 2022.¹ Many leaders believe that not enough is being done about the shortage. According to a report by the Center for Strategic and International Studies and Intel Security, three out of four security professionals surveyed believe their government is not investing enough in cybersecurity talent.² This cybersecurity talent issue isn’t limited to a few sectors; it runs across the board from government to education to industry.

The difficulties don’t end at raw numbers. Even though government, industry and education are attempting to address the problem, the entire supply chain of talent is stressed. Industry is facing a shortage of qualified candidates with the necessary hands-on skills and product experience. Those working as security professionals today are under constant pressure, as they need continuous training and professional development to keep up with evolving technologies and the threat landscape. They are also challenged to find time to properly mentor and train new hires.

Academic institutions want to meet industry needs, but they are struggling to evolve curriculum to keep pace with industry shifts and technological advances. There is also a shortage of qualified teachers and professors at both the university and community college levels, as many are lured away to industry by rising salaries. Finally, students interested in pursuing the cybersecurity field are faced with defining a career path from myriad options and obtaining the significant education and experience required.

Training for the race: It’s all about skills

Skills are at the center of a new-collar approach, and they require a renewed focus. The skills shortage is not limited to cybersecurity talent, as both industry and education face a shortage of workforce skills in general. A recent IBM Institute for Business Value study, “Facing the storm: Navigating the global skills crisis,” revealed that a majority of executives surveyed struggle to keep workforce skills current in the face of rapid technological advancement.³ They fault both their countries’ education systems and private industry — 55 percent of executives surveyed said the education systems in their countries don’t do enough to promote lifelong learning and skills development, and the same percentage indicated that inadequate investment from industry is the most fundamental challenge around the issue.⁴

What skills should new cybersecurity professionals focus on? No matter the educational background of the professional, there are some essential elements. These elements can be classified into two groups: core attributes and skills. Core attributes can be considered a general disposition beneficial to security professionals — a set of common personality traits and learned behaviors. Skills include both technical and workplace-related abilities. A new security professional may not have all these skills at first, though focusing on them over time will provide greater career path flexibility and the foundation for technical or business-focused leadership positions.

Expanding the field: New types of roles

Cybersecurity is just one of many job categories that leverage emerging technologies and require skills and knowledge to perform, but do not necessarily require a traditional four-year university degree. A new-collar approach recognizes there are alternative ways to learn the skills needed. For example, respondents from a CSIS and Intel Security study ranked hands-on experience and professional certifications as better ways to acquire cybersecurity skills than a degree.⁵

There are many different security-related roles, ranging from software development, design and sales to consulting and managed security services. Within those areas are dozens of positions requiring different skills and experience, many of which could be filled through a new-collar approach. For example, since 2015, IBM Security has hired over 170 people in the United States with less than a university-level education as IT specialists, sellers, software developers and consultants. This accounts for roughly 17 percent of all U.S. hires.

A new-collar approach can be used to help fill both technical and non-technical roles. In our report, "It's not where you start -- it's how you finish," we have identified some specific roles as suitable places to start.

¹“Net Losses: Estimating the Global Cost of Cybercrime.” Center for Strategic and International Studies and McAfee. June 2014. https://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf

²“The 2017 Global Information Security Workforce Study: Women in Cybersecurity.” Frost& Sullivan. March 2017. https://iamcybersafe.org/wp-content/uploads/2017/03/WomensReport.pdf

³“Hacking the Skills Shortage: A study of the international shortage in cybersecurity skills.” Center for Strategic and International Studies and Intel Security. 2016. https://www.mcafee.com/ca/resources/reports/

⁴“The 2017 Global Information Security Workforce Study: Women in Cybersecurity.” Frost & Sullivan. March 2017. https://iamcybersafe.org/wp-content/uploads/2017/03/WomensReport.pdf

⁵“2016 Fact Sheet.” American Association of Community Colleges.http://www.aacc.nche.edu/AboutCC/Documents/AACCFactSheetsR2.pdf; IBM Institute for Business Value interview with Casey O'Brien, Executive Director & Principal Investigator, National CyberWatch Center. February 21, 2017.

Bookmark this report  

Additional content
Infographic PDF:

Meet the author

Lindsey Lurie

Connect with author:

, Chief Marketing Officer

You might also like

In the cognitive era, organizations face well-known security challenges that lead to gaps in intelligence, speed and accuracy when confronting threats and incidents.


Read how business, education and government leaders must work together to deepen the workforce talent pool and solve the global skills crisis.


Our research reveals three key strategies to guide human resources executives in closing the skills-related gaps in their organizations.