WASHINGTON—The cybersecurity industry is grappling with a new threat: hiring.
Information security experts and executives said the fast-growing cybersecurity field is facing a scarce talent pool, with thousands of positions to fill as demand grows.
"It is pretty much impossible to hire folks within the indicated backgrounds," said Alex Stamos, Yahoo's chief information officer and a world-renowned cybersecurity expert. "There are maybe four or five thousand people in North America I can hire right now who have the technical skills keen to us."
Stamos is one of many U.S. security professionals having trouble hiring people as cyberattacks and data breaches continue to increase. A recent independent survey by the Ponemon Institute, sponsored by IBM, showed that personal information of almost half of the nation's adults — 110 million Americans — was hacked in 2014.
Add to that this data point: The Bureau of Labor Statistics has projected the demand for information security analysts will increase by 37 percent between 2012 and 2022. There will be approximately 100,000 more jobs available in the field of cybersecurity seven years from now, according to the bureau's Occupational Outlook Handbook.
The demand for information security professionals is quickly exceeding the number of people who are capable of doing the job, said Peter W. Singer, former director of the Center for 21st Century Security and Intelligence at Brookings Institute and a strategist at the New America Foundation, a public policy institute.
"We don't have enough expertise in the right places now," said Singer, co-author of a recent book "Cybersecurity and Cyberwar". "We often frame cybersecurity as a technology problem. It is a human problem."
While there isn't a single best solution to a complex shortage of candidates, Singer said, education should be a top priority in meeting anticipated needs.
Many experts and policymakers also see institutional reform as a place to start.
"We need to invest in cyber education, and there's no such thing as 'too early' when it comes to exposing our young people to [cybersecurity] and training them in this field," said Rep. Jim Langevin, D-R.I., congressional cybersecurity caucus co-chair and a former member of the Homeland Security Committee.
"Cybersecurity should be a universal concentration option for computer science and information technology programs at the collegiate level. It is an important specialty and one with tremendous growth potential," Langevin said.
Scott Borg, a leading expert in cybersecurity economics and CEO of the nonprofit research institute U.S. Cyber Consequences Unit, said there are many challenges in building an effective academic program.
"To do cybersecurity well you need two kinds of qualities that we don't know how to train for," Borg said. "We don't know how to train them to move across many disciplines, many different technical areas. We also don't know how to train people to think like hackers or think outside the box."
Some professionals in academia are working on these challenges.
A successful program needs to address all aspects of cyber infrastructure, said Vijay Anand, cybersecurity program director at Southeast Missouri State University and a former senior software engineer at Motorola.
"Typically security education is done in either the computer science program or the computer engineering program or electrical engineering program with focus in very specific topics," said Anand who built the university's cyber curriculum from scratch a few years ago. "In this program what they have done is they have put all the different topics that are critical to security infrastructure or cyber infrastructure and try to add all those concepts into the program."
Currently the fastest growing program at the university, the department has about 100 students who are learning topics ranging from encryption coding and data analysis to risk assessment and organizational cybersecurity strategy planning. In addition to hands-on field studies, students are also advised by industry experts.
"We want to educate everybody about the need for security and the basic construct of security," Anand said. "We are working to create a course that everybody can take and at least develop some basic understanding of cybersecurity."
Looking ahead, the role of government is crucial, said Steve Santorelli, director of intelligence and outreach at Team Cymru, Inc., a nonprofit Internet security research firm.
"There are programs to boost specialist detectives pay, programs to enable internships in government programs and identify top talent to support in tertiary education," Santorelli said.
In many cases, the mission-driven work in the government also serves as the best training field for the top cybersecurity professionals, said Suzanne E. Spaulding, under secretary for the National Protection and Programs Directorate at the Department of Homeland Security.
"We will take them when they first graduate," Spaulding said. "We will give them that first on-the-job training. I think at some point at the end of their career, they will miss their mission and they will come back."
With coordinated efforts across different fields and sectors, Yahoo's Stamos believe he will soon have a large pool of highly qualified candidates to choose from.
"With a little bit of incentive and determination you can see that done and you can see more cybersecurity experts and cybersecurity excellence," Stamos said.