The labor market has long experienced a shortage of cybersecurity experts. Often, companies in need of information-security specialists can’t find any – at least, those with specialized formal education and the necessary experience. In order to understand how important it is for a company to have specialists with a formal education in this area, and how well such education meets modern needs, our colleagues conducted a study in which they interviewed more than a thousand employees from 29 countries in different regions of the world. Among the respondents were specialists of various levels: from beginners with two years of experience, to CIOs and SOC managers with 10. And judging by the respondents’ answers, it looks like classical education isn’t keeping up with InfoSec trends.
First and foremost, the survey showed that not all specialists have a higher education: more than half (53%) of InfoSec workers have no post-graduate education. But as to those with it, every second worker doubts that their formal education really helps them perform their job duties.
Cybersecurity is a rapidly changing industry. The threat landscape is changing so fast that even a couple of months lag can be critical – while it can take four to five years to obtain an academic degree. During this time, attackers can modernize their tactics and methods in such a way that a graduate InfoSec “specialist” would have to quickly read all the latest articles about threats and defense methods in the event of an actual attack.
InfoSec specialists with real life experience argue that educational institutions in any case don’t provide enough practical knowledge – and don’t have access to modern technologies and equipment. Thus, to work in the InfoSec field and to fight real cyberthreats, some additional education is required anyway.
All this, of course, doesn’t mean that cybersecurity professionals with higher education are less competent than their colleagues without it. Ultimately, passion and the ability to continually improve are of the utmost importance in professional development. Many respondents noted that they received more theoretical than practical knowledge in traditional educational institutions, but felt that formal education was still useful since, without a solid theoretical basis, absorption of new knowledge would progress more slowly. On the other hand, specialists who don’t have post-graduate education at all, or who came to information security from another IT industry, can also become effective specialists in protecting against cyberthreats. It really does all depend on the individual.
How to improve the labor market situation
In order for the market to attract a sufficient number of information security experts, the situation needs to be balanced on both sides. First, it makes sense for universities to consider partnering with cybersecurity companies. This would allow them to provide students with more practically applicable knowledge. And second, it’s a good idea for companies to periodically increase the expertise of their employees with the help of specialized educational courses.
You can read the part of the report devoted to InfoSec educational problems on the webpage of the first chapter – Educational background of current cybersecurity experts.