A recent report and panel discussion from the International Information Systems Security Certification Consortium concluded that the technology industry urgently needs more cybersecurity professionals, but significant barriers remain.
ISC2’s 2024 Cybersecurity Workforce Study, which includes responses from 15,852 cybersecurity professionals and decision-makers globally, found that 90% of respondents face skills shortages within their organizations, particularly in areas such as AI, cloud computing, security, and zero-trust implementation.
Some of these gaps may be due to mismatches between what job seekers want and what potential employers offer. The common joke about “entry-level jobs with five years of experience” may be true, said Brandon Dunlap, senior managing partner at Gartner in security and risk management, during the panel discussion “Bridging the Gap: Challenges in the Cyber Workforce” on Sept. 10.
Globally, the cybersecurity workforce gap stands at 4.8 million, ISC2 reported. That’s a 19 percent shortfall between the positions organizations need to protect their systems and the professionals available to fill them. However, in some countries, including Canada, Brazil, Mexico, the Netherlands, and Spain, the gap has narrowed. (ISC2 notes that this number doesn’t necessarily reflect the number of open jobs.)
HR doesn't always know how to define cybersecurity
These challenges can prevent companies from filling open positions or make it difficult for job seekers to find suitable roles. Defining cybersecurity-related jobs can be particularly tricky for HR teams. Referring to “cybersecurity” as a general term is like saying “medicine” without specifying the type of doctor, said Simon Salmon, ISC2 trainer and IT director at Nottingham City Council.
“You need to have very deep conversations with recruiting and hiring staff about what it really takes to hire the right talent,” said Dan Houser, chairman of the ISC2 board of directors.
Trends show budgetary adjustment and a slight increase in layoffs
Many organizations focus on hiring for mid- and senior-level positions, reflecting a lack of development of critical skills. Of the organizations surveyed:
- 39% cited lack of budget as the main cause of cyber staff shortages. Last year, the top reason was lack of talent.
- Layoffs increased 3% year-over-year, reaching 28%.
- More than a third (37%) of companies have seen budget cuts, an increase of 7% on last year.
- Hiring freezes increased by 6% and 38% of organizations implemented them.
Houser also noted that companies don't offer competitive salaries. Cybersecurity jobs often have a pay bump compared to other IT positions, but some HR departments don't factor these expectations into their job postings. Government positions, in particular, often struggle to match private-sector salaries.
“Part of the challenge we’re seeing is not that there’s no labor available, but that there’s labor available at a reasonable price,” Houser said.
To attract cybersecurity talent, companies must offer fair compensation, foster a respectful and collaborative work environment and ensure employees feel valued and able to make meaningful contributions, according to Lisa Young, vice chair of the ISC2 board of directors.
As she asked, “How much time do companies spend saying thank you for something they do?” This is particularly an issue in cybersecurity because “one of the measures of success is that nothing bad has happened,” she said. “If we’re doing our job right, it’s often transparent.”
How to promote the employment of workers at the beginning of their careers
Once professionals move up the ranks, job satisfaction tends to remain high, which helps retain them. But nearly a third of participating organizations reported they had no entry-level cybersecurity workers.
Larger companies tend to offer entry-level and junior positions (1-3 years of experience), but most organizations still focus on hiring for mid- to senior-level positions. This approach can contribute to the skills gap by failing to develop a pipeline of workers who can eventually fill senior positions as more experienced workers retire or leave the organization.
SEE: Why your company needs cybersecurity awareness training (TechRepublic Premium)
Dunlap said other factors that may support cybersecurity job growth include:
- Creating cyber training programs.
- Compensation of workers based on their training.
- Launch internal mentoring programs, particularly with mentors who fit employees’ personalities.
Continuing professional development is crucial as the technology field evolves rapidly, Young said. Continuous learning can help professionals gain the skills needed to address the technical gaps identified by ISC2, including artificial intelligence and machine learning, cloud computing security, zero-trust implementation, digital forensics and application security, which are high on the list.
In contrast, the report highlighted a disconnect between perceived and desired AI skills: 23% of cybersecurity professionals think AI/ML skills are in demand, while 12% of hiring managers seek those skills for cybersecurity roles.
Early or non-traditional recruitment
Vocational schools or community colleges can be rich sources of training for cybersecurity professionals, Dunlop said.
Salmon is working on a program that identifies teens with the soft skills needed for cybersecurity — “an aptitude for learning, good customer-facing skills, being personable and able to be present” — and trains them in the technical skills.
“We quickly discovered that the people who were falling behind were people with neurodivergent diagnoses or people with dyslexia, and what we found surprising was that these were people who were excelling,” Salmon said.
“You can address shortages if you are appropriately inclusive,” Salmon said.