It's no secret that companies are facing a huge cybersecurity talent shortage. The word's been out for several years that many high-paying positions requiring cybersecurity skills are going unfilled.
Unfortunately, broadcasting the cybersecurity skills gap hasn't done enough to increase the cyber workforce. Indeed, the vast majority of cyber professionals (95%) believe the skills gap has not improved over the past few years, and nearly half (44%) believe it has gotten worse, according to research from Information Systems Security Association (ISSA) and analyst firm Enterprise Strategy Group (ESG), a TechTarget division.
How big is the gap? Cyberseek reported there are around 1.1 million people employed in cybersecurity in the U.S., but over 700,000 unfilled positions are currently available. Worldwide, the cyber workforce shortfall is approximately 3.5 million people, according to Cybersecurity Ventures.
Understanding the cybersecurity skills gap and its impact
Meanwhile, as organizations compete against each other to acquire the scarce talent available, cybersecurity salaries keep escalating, meaning that organizations can't afford to hire as many cybersecurity workers. The existing workforce is asked to take on more work, which in turn causes burnout, the ISSA study found.
This article is part of
The result is that companies, government agencies, educational institutions and other organizations have weaker security in place than they should, putting all of their employees, customers and constituents at increased risk of data breaches, privacy violations, financial fraud and other adverse consequences.
Bridging this vast gap requires understanding why the cybersecurity skills shortage exists and persists. This article explores that and proposes several ways that IT leaders and their organizations can address the underlying problems.
Top 5 causes of the cybersecurity skills shortage
Many factors have come together to cause the cybersecurity skills gap. Here are the top five causes:
- The demand for cybersecurity talent keeps increasing. Not only has nearly every organization become completely dependent on technology, but technology also continues to become more complex. Securing today's systems, networks and data against cyber attacks is tougher than ever, with even more security technologies and processes needed to work in concert with each other. So, organizations need their cyber workforces to be larger and have a wider range of skills than ever before.
- The pool of cybersecurity talent lacks diversity. According to a recent workforce study from (ISC)2, only about 25% of the cybersecurity workforce around the world is female. A survey from the Aspen Institute determined that in the United States, 19% of the population is Hispanic but only 4% of the cyber workforce is Hispanic. Native Americans and Black Americans are also significantly underrepresented in cyber careers.
- Employers have unrealistic expectations. Cybersecurity job descriptions often require college degrees, multiple certifications and years and years of experience in a variety of security disciplines. Many candidates who would be assets to organizations don't apply for these jobs because they assume that the requirements are truly required. Others do apply but don't even get a call back because they lack a degree or sufficient hands-on experience.
- Employees aren't keeping their skills up to date. The challenges that employers need to tackle change over time, such as the increasing reliance on cloud security and the evolving threats against data and systems. But employees are so overworked that they often don't have the opportunity to learn new skills, attend training, take online courses or pursue new certifications. And this isn't just technical skills -- soft skills like communication are also needed.
- Cybersecurity experts are leaving the profession. Alarmingly, a recent survey commissioned by Trellix found that over one-third of the cybersecurity workforce are planning to change careers. There's a major employee retention problem, due in large part to constant staffing shortages and the incredible pressure of many cybersecurity jobs. As people leave the field, the shortages become even worse, which causes more people to leave the field.
3 ways organizations can address the cybersecurity skills gap
There's no way to bridge the cybersecurity skills gap overnight, but organizations can start making progress today by doing the following three things:
- Tap into underrepresented communities. Prioritize outreach to women, Hispanic Americans and other overlooked communities. Educate members of these communities on the incredible variety of opportunities in cybersecurity and show them how they can join the workforce. Make sure that your recruitment and hiring practices take diversity into consideration. Consider offering paid internships.
- Build skills primarily in-house instead of by hiring experts. Organizations can tap into a much larger pool of workers if they relax job requirements and instead plan on building cyber skills internally by providing training, education and certification support for new employees to help get them up to speed. Enable new graduates, veterans, people transitioning from other careers, and those with an interest in and aptitude for cybersecurity to learn and grow. College degrees, certifications and several years of experience are simply not necessary for success at most cybersecurity positions.
- Support your existing talent. Burnout is rampant today at many organizations. Especially when there is such a shortage of skilled people, it's easy for anyone who's unhappy to leave your organization and find a better opportunity elsewhere. However, there are also critical cybersecurity needs that must be met. Here are some strategies for supporting your existing workforce so they'll be less likely to leave:
- Whenever feasible, automate routine tasks -- especially those that are repetitive and boring or high stress. This will help reduce your labor needs and give your employees interesting, lower-stress work to do.
- Consider using managed security services, particularly for off-hours monitoring, analysis and incident response. Small organizations may want to outsource most of their security services altogether to reduce their need for dedicated cybersecurity staff and instead train their IT personnel to also handle occasional cybersecurity tasks.
- For particularly stressful or demanding positions, consider the possibility of job rotation. An example is rotating security operations personnel to a non-operations position after 12 or 18 months. This can help prevent burnout and also allows people to build additional skills, making them more valuable to your organization.
- When your employees are taking time off for vacation, sick leave or otherwise, let them actually be off work. Everyone needs a break from work; expecting employees to keep checking in with work while they're off -- and especially being on call or performing operational support -- is unfair to them and will certainly foster resentment. This may be a major culture change for your staff but it's likely to be well worth it, both for retaining existing staff and for attracting new employees.