The world’s largest nonprofit association of certified cybersecurity professionals, (ISC)2, estimates we’ve had a YOY increase of 7,000 cybersecurity professionals and that currently, over four million people work in cybersecurity worldwide. And yet shortages remain. The workforce gap is increasing everywhere, including the Asia-Pacific region, which at nearly 1.5 million cybersecurity professionals short, has the lowest talent gap. Elsewhere in the world, the need far outweighs the supply.
What happens when companies cannot find highly qualified cybersecurity professionals? Increased risk. While many companies look to adopt technology to increase automation and offset the gaps caused by these headcount shortages, problems sometimes remain because finding relevant talent still presents challenges. According to the 2021 (ISC)2 Cybersecurity Workforce Study, a shortage of cybersecurity professionals has caused significant, real-world consequences for many companies, including issues with:
- Misconfigured systems (32%)
- Not enough time for proper risk assessment and management (30%)
- Too much lag time for patching critical systems (29%)
- Oversights in procedures and processes (28%)
- The inability to keep on top of active threats against company networks (27%)
- Rushed deployments (27%)
A company fully staffed with cybersecurity professionals able to identify, uncover and address data breaches and ransomware attacks is better protected.
Several factors contribute to the current global shortage, but solutions exist for people interested in entering the field to grow their skills and increase their hire-ability.
Closing the cybersecurity workforce gap
Organizations have multiple opportunities to close the cybersecurity gap, starting with reducing the time it takes to fill new cybersecurity positions. For example, the ISACA State of Cybersecurity 2021 report found that 16% of respondents say it takes six or more months to fill a position. An average of 50% of hiring managers surveyed also said they don’t believe applicants are well-qualified.
SEE: Mobile device security policy
Human skill development has become an essential part of these roles. Employers expect their employees to bring soft skills, including well-developed communication, sharing, knowledge transfer and problem-solving skills. Candidates also need good interpersonal skills, adaptability, flexibility and empathy. As we saw during the past two years, each of these proficiencies is critical for short- and long-term success, building relationships within companies, teams and other internal and external stakeholders.
ISACA reported in its State of Cybersecurity 2022, Global Update on Workforce Efforts, Resources and Cyberoperations that 60% of respondents indicated a challenge with retaining cybersecurity professionals — up from 53% in 2021. These professionals are leaving for various reasons:
- 59% are recruited by other companies.
- 48% receive poor financial incentives through salary or bonuses (or both).
- 47% see limited opportunities for professional development or promotion.
- 45% experience high levels of work-related stress.
- 34% indicate a lack of management support.
But even these stats don’t discount the finding that, generally speaking, cybersecurity employees are satisfied by — and engaged in — their jobs. The (ISC)2 report found, for example, that 77% of respondents report being “satisfied” or “extremely satisfied” with their jobs. The challenge remains for organizations to acknowledge the value of these employees and offer appropriate compensation, professional growth opportunities and enough support.
Training, upskilling and reskilling cybersecurity pros
The most important technical skills a cybersecurity professional can have today include cloud security, data analysis and programming. But cybersecurity professionals develop proficiency gradually — and cramming 30 credit hours of cybersecurity classes into 12 months or paying $20K for a certification from the local community college isn’t always practical.
Higher education institutions have been working on adding certifications to address the knowledge gap. However, employers want to see experience, not just the right combination of courses and certificates. Certifications are great for building a resume and getting a foot in the door. But given the rapidly-shifting security landscape, there’s no substitute for boot camps, apprenticeships and real-life work experience.
It takes time to increase competency and develop deep knowledge. While companies and colleges have taken steps to offer opportunities to upskill and deepen knowledge, cybersecurity professionals must take an active role in their development. To start, they can:
- Think about the depth and breadth of their experiences and expertise gained through education and previous work experience.
- Identify where they’ve made an impact based on past abilities to execute.
- Reflect on their motivations and comfort levels based on current experience and contributions.
- Identify other opportunities to add more value through additional training.
Cybersecurity employees who willingly embrace opportunities to expand, learn and acquire new skills are essential for all organizations’ current and future safety and security. Organizations can also take the initiative to reskill and upskill their existing cybersecurity workforce.
For example, even if it’s challenging to find — and hire — a full-time industry expert, companies can partner with an expert on a contract, as-needed basis to help train their current cybersecurity employees. These experts bring in-depth knowledge and understanding of the entire security ecosystem, know its vulnerabilities and strengths and can predict future trends. This reservoir of knowledge informs the type of cybersecurity training modules they design and deliver.
Internal cybersecurity training can range the gamut from refresher courses to new information. These trainings can include in-classroom lectures, guest speakers and hands-on, on-the-job training where experienced employees offer guidance as participants identify and mitigate actual security threats.
Another approach, which involves partnering with higher education institutions and benefits all parties, is to develop internship programs. Internships allow organizations to cultivate and nurture relationships with upper-level students and recent graduates. Well-designed internships include comprehensive hands-on training, learning and mentorship with an eye toward a long-term career and future professional growth.
It’s rare that a day or week doesn’t pass without some respected organization hosting cybersecurity webinars and online events. Organizations should encourage employees to attend these events when relevant.
Constant change requires continuous learning
Unlike some other industries, cybersecurity requires a commitment to continuous learning. The technical skills that got you the job today might not help you keep it a year from now. Trends change. Technology evolves. Cybercriminals find new ways to infiltrate previously secure systems. Cybersecurity professionals need to keep up.
How we work remains dynamic. More of us work remotely or in hybrid environments — approaches requiring additional security as employees use corporate and home networks. As more companies embrace digitalization, new security vulnerabilities will keep emerging. Cloud solutions continue to grow, with 94% of enterprises relying on the cloud, including 69% using hybrid cloud solutions, 91% using a public cloud and 72% using a private one.
The cybersecurity field needs more — not fewer — professionals. Closing the gap requires a multi-pronged approach, from increasing training for current employees to promoting career paths within companies and encouraging colleges, universities and trade schools to include certification programs and internships. In the meantime, reduce manual, repetitive workloads with solutions that are highly automated and integrate easily to maximize teams you already have.
A serial entrepreneur and global executive, Valimail CEO Alexander García-Tobar has been CEO at two previous firms and has run global sales teams for three companies that went IPO. He held analyst and executive positions at leading research companies such as The Boston Consulting Group and Forrester Research along with Silicon Valley startups such as ValiCert, Sygate and SyncTV.