photo-dave - Fotolia

(ISC)2: Cybersecurity workforce shortage nears 3 million worldwide

With a workforce in short supply, the skills gap has affected the professional growth of security pros worldwide, an (ISC)2 Cybersecurity Workforce Study found.

research puts the cybersecurity workforce shortage at roughly 2.93 million globally, with the demand versus supply of security professionals in Asia-Pacific far outpacing all other regions combined.

The shortfall in Asia-Pacific, estimated at 2.15 million,  is attributed to growth in numerous countries and security and privacy regulations, according to the International Information System Security Certification Consortium Inc. (ISC)², a nonprofit organization headquartered in Clearwater, Fla., that fielded the study.

The (ISC)² Cybersecurity Workforce Study (formerly the Global Information Security Workforce Study) surveyed close to 1,500 self-identified security professionals worldwide, including IT professionals that spend at least 25% of their time on security-related tasks. Best known for its CISSP certification, (ISC)² offers training and information security certification programs (SSCP, CCSP, CAP, CSSLP, HCISPP) for security professionals worldwide. Not restricted to (ISC)²'s 142,000 members, roughly one-third of those surveyed in the double-blind study belonged to the professional organization.

"We all have anecdotal evidence of people not getting a job, so what does this kind of a report mean to them?" said John McCumber, (ISC)² director of cybersecurity advocacy for North America,  who discussed the organization's latest research at last week's (ISC)² Security Congress 2018 in New Orleans.

That question is hard to answer, McCumber said, because there's a lot of regional variance across the globe. North America has a cybersecurity workforce shortage that is significant, with demand outpacing supply by 498,000, followed by Europe, the Middle East and Africa, with an estimated 142,000 open positions; and Latin America, with 136,000.

According to (ISC)²,  the cybersecurity workforce shortage is putting companies at risk for harmful cyberattacks. The lack of cybersecurity staff created "extreme" or "moderate" risk for 59% of the organizations surveyed.

"Unlike a lot of technology, security doesn't have an easily definable ROI, and I've given up trying to chase that," McCumber said. "The reason is because it's risk management."

Roughly 48% of companies represented in the survey expected to increase cybersecurity staffing in the next 12 months, while 39% anticipated no change; 5% expected a decrease, and 8% didn't know.

"The 48% of businesses are looking to increase their staff because they've realized that what they have currently is not suitable for the risk that they carry," said Tony Vizza, (ISC)² director of cybersecurity advocacy for the Asia-Pacific region.

Vizza noted that cybersecurity has some parallels with the early aviation industry, which has learned over the years to implement controls to prevent human error and better manage risk.

The top three qualifications for employment, according to the cybersecurity professionals surveyed, included relevant cybersecurity experience, 49%; knowledge of advanced cybersecurity concepts, 47%; and cybersecurity certifications, 43%. Graduate and undergraduate degrees related to cybersecurity scored lowest at 21% and 20%, respectively, the survey found.

Almost half expect cybersecurity staff to increase

Broader global workforce

While the cybersecurity workforce shortage comes as no surprise, the global cybersecurity community is becoming younger and more diverse than previous studies indicated, according to (ISC)². More than one-third or 35% of the cybersecurity professionals surveyed identified as millennials; baby boomers and generation X accounted for 49% of respondents.

Women represented 24% of cybersecurity professionals, a sharp increase from the 11% shown in other studies. The difference may be attributed in part to a "broader view of who works in the field," according to (ISC)² researchers.

The study found that on average, cybersecurity professionals have worked in IT for 13 years, with seven years spent on security-related tasks. Roughly 65% of cybersecurity professionals reported to IT directors or C-level executives whose primary function was not related to cybersecurity.

The annual salary of the cybersecurity professionals surveyed, on average, is $85,000, according to (ISC)². Cybersecurity professionals with certifications earned more, at $88,000; those without earned less at $67,000.

The cybersecurity workforce shortage has also affected the professional growth of current employees, the report found. The biggest job concerns, according to the cybersecurity professionals surveyed, involved lack of skilled or experienced cybersecurity personnel, 37%; as well as resources to perform successfully, 29%; budget for key security initiatives, 28%; and time to do the job effectively, 27%.

Some cybersecurity professionals indicated a desire to shift priorities from time-consuming tasks such as security administration, network monitoring and incident response to "high-value cybersecurity" areas such as threat intelligence analysis, penetration testing and forensics. However, the majority of respondents expressed job satisfaction; 21% indicated they are "very satisfied" and 41% are "somewhat satisfied."

"Most people are satisfied with their jobs," McCumber said. "Who knew?"

Dig Deeper on Careers and certifications

Enterprise Desktop
Cloud Computing