Cybersecurity skills gap: Why it exists and how to address it

Understanding the cybersecurity skills gap and its impact

Alongside the heavy impact of the cybersecurity skills shortage exists a rising workload for the existing cybersecurity team, many vacant open job requisitions and a high level of burnout, according to the ISSA study.

The result is that companies, government agencies, educational institutions and other organizations have weaker security in place than they should, putting all of their employees, customers and constituents at increased risk of data breaches, privacy violations, financial fraud and other adverse consequences.

Bridging this vast gap requires understanding why the cybersecurity skills shortage exists and persists. This article explores that and proposes several ways that IT leaders and their organizations can address the underlying problems.

Top 5 causes of the cybersecurity skills shortage

Many factors have come together to cause the cybersecurity skills gap. Here are the top five causes:

1. The demand for cybersecurity talent keeps increasing. Not only has nearly every organization become completely dependent on technology, but technology also continues to become more complex. Securing today's systems, networks and data against cyber attacks is tougher than ever, with even more security technologies and processes needed to work in concert with each other. So, organizations need their cyber workforces to be larger and have a wider range of skills than ever before.
2. The pool of cybersecurity talent lacks diversity. According to a recent workforce study from ISC2, only about 25% of the cybersecurity workforce around the world is female. Another ISC2 study indicated that, although cybersecurity teams are becoming increasingly diverse, this is happening slowly. According to the research, 70% of cybersecurity workers 60 and older are white men, 13% are white women, 15% are non-white men and 2% are non-white women.
3. Employers have unrealistic expectations. Cybersecurity job descriptions often require college degrees, multiple certifications and years and years of experience in a variety of security disciplines. Many candidates who would be assets to organizations don't apply for these jobs because they assume that the requirements are truly required. Others do apply but don't even get a call back because they lack a degree or sufficient hands-on experience.
4. Employees aren't keeping their skills up to date. The challenges that employers need to tackle change over time, such as the increasing reliance on cloud security and the evolving threats against data and systems. But employees are so overworked that they often don't have the opportunity to learn new skills, attend training, take online courses or pursue new certifications. And this isn't just technical skills -- soft skills like communication are also needed.
5. Cybersecurity experts are leaving the profession. Alarmingly, a recent survey commissioned by Trellix found that over one-third of the cybersecurity workforce are planning to change careers. There's a major employee retention problem, due in large part to constant staffing shortages and the incredible pressure of many cybersecurity jobs. As people leave the field, the shortages become even worse, which causes more people to leave the field.

3 ways organizations can address the cybersecurity skills gap

There's no way to bridge the cybersecurity skills gap overnight, but organizations can start making progress today by doing the following three things:

1. Tap into underrepresented communities. Prioritize outreach to women, Hispanic Americans and other overlooked communities. Educate members of these communities on the incredible variety of opportunities in cybersecurity and show them how they can join the workforce. Make sure that your recruitment and hiring practices take diversity into consideration. Consider offering paid internships.
2. Build skills primarily in-house instead of by hiring experts. Organizations can tap into a much larger pool of workers if they relax job requirements and instead plan on building cyber skills internally by providing training, education and certification support for new employees to help get them up to speed. Enable new graduates, veterans, people transitioning from other careers, and those with an interest in and aptitude for cybersecurity to learn and grow. College degrees, certifications and several years of experience are simply not necessary for success at most cybersecurity positions.
3. Support your existing talent. Burnout is rampant today at many organizations. Especially when there is such a shortage of skilled people, it's easy for anyone who's unhappy to leave your organization and find a better opportunity elsewhere. However, there are also critical cybersecurity needs that must be met. Here are some strategies for supporting your existing workforce so they'll be less likely to leave:
• Whenever feasible, automate routine tasks -- especially those that are repetitive and boring or high stress. This will help reduce your labor needs and give your employees interesting, lower-stress work to do.
• Consider using managed security services, particularly for off-hours monitoring, analysis and incident response. Small organizations may want to outsource most of their security services altogether to reduce their need for dedicated cybersecurity staff and instead train their IT personnel to also handle occasional cybersecurity tasks.
• For particularly stressful or demanding positions, consider the possibility of job rotation. An example is rotating security operations personnel to a non-operations position after 12 or 18 months. This can help prevent burnout and also allows people to build additional skills, making them more valuable to your organization.
• When your employees are taking time off for vacation, sick leave or otherwise, let them actually be off work. Everyone needs a break from work; expecting employees to keep checking in with work while they're off -- and especially being on call or performing operational support -- is unfair to them and will certainly foster resentment. This may be a major culture change for your staff but it's likely to be well worth it, both for retaining existing staff and for attracting new employees.

Karen Scarfone is principal consultant at Scarfone Cybersecurity in Clifton, Va. She provides cybersecurity publication consulting to organizations and was formerly a senior computer scientist for NIST.