Israel at Risk Amid Shortage of Cybersecurity Experts

Israel has emerged as a global power in the war against hackers, but there aren’t enough people to fill the jobs on offer.

An Israel Defense Forces cyber war room.
IDF Spokesperson

This coming Monday the largest cyber security conference in Israel and one of the largest of its kind in the world will open in Tel Aviv. The Cybertech 2017 Conference is a celebration for hundreds of Israeli cyber security firms with an impressive presence of senior industry executives from abroad. This year, as usual, the conference will be opened by Prime Minister Benjamin Netanyahu, who loves to talk about the subject and regards as a national priority.

The Israeli cyber security industry is a source of pride and a major part of the global industry. In 2016 sales of Israeli cyber security comprised about 10% of all the entire global market. Israeli companies including Check Point Software Technologies, CyberArk and Palo Alto Networks, are among the world leaders in the field. In addition, there have been impressive exits in the field for the country’s startups, including the $293 million sale of CloudLock to Cisco last year . According to the IVC Research Center, the industry in Israel employs about 17,000 people and is showing strong, steady growth.

But if you ask the veterans and the senior executives, Israel’s prominence is no guarantee that the situation will continue indefinitely and if it doesn’t the impact will be felt throughout the economy. At its current breakneck speed, Israel’s “cyber engine” is pulling the entire Israeli startup industry after it, but there is a big risk of it stalling, say experts, because there aren’t enough cyber security professionals to go around.

The STKI research company warns that just as cyber threats to national security and the Israeli economy are growing, Israel faces a “profound shortage” of about 1,600 professionals in the cyber security field in various sectors. Within two years the shortfall threatens to widen about 2,100.

Startups hog the best

“If you look at 100 representative cyber security graduates, some of whom came from the military world and some who trained as civilians – over half of them will find jobs in Israeli product companies, in startups, which leaves the cyber people in the IT departments in the banks, in insurance and in the government with less available manpower. Salary costs are only increasing,” says Pini Cohen, a vice president and senior analyst at STKI.

Gil Rosenberg, the academic director of the cyber training course at John Bryce College, says the need for trained professionals is growing faster that the ability to train people to fill the gap.

“We’ll start with the fact that there’s a shortage of high-tech workers in general. If someone knows big data or apps development, he’s in big demand. There’s already a crisis in cyber security because the traditional manpower involved in information security are IT people, those who until now you would ask for a password or access from home. They’re not trained for the modern cyber world, and it’s not their fault,” he says.

“At some point in 2009 the world changed: Attack techniques became far more advanced and complex, and they enable the attacker to enter the system quite easily – but the IT people don’t have the knowledge to diagnose, identify and handle a cyber event. The same change has caused some organizations, corporations, security and financial groups to panic. They say, ‘We’re sitting on mountains of valuable information and worry that the information is accessible to anyone with ability to access it,’ so they’re shouting ‘We need more people.’ The truth is that there’s a shortage of cyber people everywhere, not only in Israel.”

Ran Adler, vice president of the cyber consulting firm BSecure2, gives other reasons for the shortage. First, he says, startups “steal” the best talent in the industry. “Most startups rely on big investment [from capital venture funds and private investors], and therefore attract high-quality employees and create competition for them.”

Second, the demand for employees is increasing overall. “Regulation and public awareness have led to a situation where many clients, who once wouldn’t have imagined needing information security services, have begun to do so, on a huge scale. As a result, there’s an increased need for employees from the cyber field to work inside the organization or for services provided by outside companies.”

Third, the need for these employees also has increased because of tougher regulation that will mean big upgrade to cyber security protections.

In February 2015 the Israeli government issued a decision that changed the government market. Now all government ministries have to work according to cyber standard ISO 27001, meaning that they are going to be undertaking big projects in the field, says Adler.

More than that, ministries are now setting cyber security standards for the industries and companies they regulate — for example the Environmental Protection Ministry over factory plants that are cited for polluting the environment.

“Polluting factories are an example of companies that until now no one has spoken to them about information security .... Now there’s a body that is monitoring them. This has increased the need to recruit cyber experts, not only in companies but in government ministries too, by tens of percentage points,” explains Adler.

Not only that, the government has turned the National Cyber Security Authority into a major public body, leading to a wave of hiring. The authority, established just last year, already has 170 employees, with 200 more expected to come aboard in the next two years. He adds that the Y Generation is more restless and less loyal, which means the best and brightest are often hopping between jobs. “It’s tough competition and quite a challenge for personnel directors in organizations that want to keep their human resource,” says Adler.

Training to fill gaps

“The number of cyber security people being discharged from the army, together with graduates of universities and various courses, can’t fill the gap, and in the not-too-distant future the shortage will reach thousands of additional professionals. Already now organizations find it hard to deal with the attacks and are unable to recruit people. In future the attacks will increase and the demand for workers will increase,” says Cohen.

A June 2016 survey by McAfee, Intel’s information security division, surveyed IT in eight countries, including Israel, and found that 82% of them reported a shortage of cyber security experts and 71% claimed that the shortage adversely affects their business. The salary for Israeli cyber security experts in Israel was found to be the highest in the world relative to the average wage nationwide at almost 3.5 fold.

Several Israeli organizations are meeting the challenge. Esti Peshin, cyber security chief at state-owned Israel Aerospace Industries, says that those coming from the army demand exorbitant salaries and prefer the private sector and startups. IAI concluded that the difference between cyber security and other high-tech professions is not so great, so they now train their own experts. The IAI’s cyber security course, which is open to a few dozen participants, attracted over 1,000 good candidates in related fields. Some of them are age 25 or thereabouts, some 50-plus. “The age differences are no limitation for us. We’re trying to create a mix of various content worlds with an emphasis on teamwork,” Peshin says.

The three-month course will open in three weeks. During the course students will receive a salary from IAI and those who finish are committed to work for the company for at least three years. The course, which was initiated only five weeks ago, is costing IAI over a million shekels ($264,000).

On Thursday a similar but very different initiative will begin with a cyber security course for Haredim sponsored by KamaTech, a nonprofit designed to integrate ultra-Orthodox Jews into the startup industry. They’re taking people with basic computer knowledge and training them for cyber security.

Starting early

The many courses on offer attract candidates to work in cyber security, but some believe that entry into the field should begin earlier – in high school. The Rashi Foundation’s Magshimim Cyber Program, runs a program for outstanding teens from Israel’s social and geographical periphery. “We take them for a three-year cyber journey, from 10th to 12th grades, and they learn the practical aspect of programming, as well as fast learning, solving problems under pressure and dealing with complex situations,” explains Sagi Bar, its CEO.

The course is designed to ready students to join the Israel Defense Forces’ cyber and technology unit, and has a 75% acceptance rate. In 2016, 160 students completed the program, this year there will be 250, and in 2018 it will grow to 500, of thousands who undergo the selection process every year.

According to executives at large firms such as Microsoft, CyberArk and IBM, the shortage is being felt these days mainly in two areas: cyber researchers, who know how to handle a cyber attack, and developers, who know how to write code for cyber security software. Quite a few students found jobs in industry at the age of 18, even before the army, proving industry’s need for these workers.

Despite the obvious shortage in the cyber security industry, the problem may be solved naturally by market forces. The reason is that a bubble is developing in the Israeli cyber security industry. There are a very large number of startups in the field, many of them offering similar and overlapping products and few with significant revenues, not to mention profits. If, as is inevitable, the venture capital funds that back them decide finally to cut back their investing in industry and stop providing artificial respiration to unprofitable firms, many will close – and the people ejected into the market will fill the shortage of cyber security workers.

Cohen is confident that there will be a convergence. “In the end the IT person doesn’t want to deal with 25 cyber security products, but with four or five. Huge corporations, such as Simantech, RSA or McAfee, will buy out small firms, integrate them into their solution, and the overall number of firms will decline,” he predicts.