An ever-growing sea of purported solutions exists to counter the staffing shortage and train staff—university programs, industry training products and credentialing programs.

With so many solutions in the market—some for many years—one would expect the shortage to at least show signs of levelling off. Unfortunately, the opposite is true. It is estimates a global shortage of 4.07 million cybersecurity staff, which represents a 26% increase from 2018.

As per the industry leaders, they are facing two major problems:

1. Soft skills
2. IT knowledge and skills gaps (which includes knowledge of IT operations, networking, infrastructure and different technologies)

We largely fail to describe cybersecurity work, which is critical to generating enough interest for current and future needs. In doing so, we continue to alienate many bright minds who enjoy analyzing problems, solving puzzles or questioning the status quo. In its absence is the overarching idea that the typical cybersecurity practitioner is a male wearing a black hoodie in a darkened room who has not seen the light of day for weeks, with empty cans of energy drinks strewn on a desk. Further, there are inconsistencies in job titles, unrealistic requirements and scope of work.

In short, how can we expect workforce education and development programs to succeed when the target is moving?

Earlier, the profession or organizations are focusing on the wrong problem. There is no shortage of programs for those willing to enter the profession. Displaced workers and career changers are targets of a growing number of apprenticeship programs, grants, scholarships and reskilling programs. These programs mostly address today’s problems and, as such, are shortsighted. To positively influence the shortage of practitioners we must look at the pipeline.

IT-related jobs have long required a lifelong-learning approach—something that other occupations are encountering as industries and positions morph to keep pace with the Fourth Industrial Revolution. It is plausible that the traditional university model is simply too rigid for the speed at which industry and the world is evolving. Higher learning institutions are wise to consider competency-based education. Formal education serves a purpose but is not the only solution. The overreliance on university education has done more harm than good in the field of cybersecurity.

Within our education system, there exists heavy focus on standardized testing and science, technology, engineering and math education. Although many believe education to be a panacea.

Until recently, much of the reporting on the cybersecurity skills shortage has been quantitative. Although with past experience may have helped increase budgets and headcount, the result is a seller’s market whereby salaries are outpacing budgets and enterprises are hesitant to invest in their staff for fear that they may be poached. In response, adding learning and recruitment programs does not motivate people to enter the field—especially if the barrier to entry is a university degree.

Lastly, the cybersecurity field is rather broad, so it is incumbent upon hiring managers to work with their human resource departments to define critical knowledge, skills and abilities for their positions before specifying requirements such as university degrees.