While the result is unsurprising based on general projections from recent years, ISC2’s 2023 Cybersecurity Workforce Study confirms that hiring and skill gaps continue to be a major issue even as the pool of available candidates grows. Respondents also report that the job is not getting any easier in a post-pandemic environment, with three out of four saying that the current threat landscape is the most difficult it’s been in the past five years.
Cybersecurity workforce gap growth outpacing influx of new professionals
The cybersecurity workforce continues to grow, but not nearly fast enough to keep pace with demand. This is just one of several factors contributing to what the report calls a “perfect storm” of instability in the field, which in turn necessarily weakens the security of global networks and infrastructure.
Though this trend in the cybersecurity workforce has been in place for some years now, there was at least some hope of improvement in the threat environment after the massive instability induced by the Covid-19 pandemic and a rapid shift to work-at-home and more cloud-based models. The report indicates that no relief is in sight yet in this area. Software supply chain vulnerabilities continue to be just as serious of an issue, and the invasion of Ukraine (and now potentially the war in Gaza) has elevated malicious cyber activity enough to offset any gains in organizational network stabilization or increased physical presence in offices.
The center of the threat landscape issues may be economic, however. The Cybersecurity Workforce Study also finds that insider threats are on the rise, even as nearly half of workforces have cut back on IT staff. Most of this seems to be spurred by outside threat actors approaching employees, offering them direct payment for credentials or the creation of openings into the network.
In terms of the cybersecurity workforce gap, the number of available candidates has grown by 8.7% in the past year. That would be good news if the number of unfilled positions had not also grown by 12.6%. Specific skill gaps are acute, with 92% of organizations reporting that they have some particular need (such as zero trust or cloud security specialization) that they are not currently able to fully staff out. 67% of respondents say that the problems with these particular skill gaps are worse than the problems with overall IT or security staffing numbers.
“Worst” threat landscape rattles confidence of over half of cybersecurity teams
To put more specific numbers on the situation, 2022 saw 5.5 million new members join the cybersecurity workforce. However, even with that there remains a shortfall of about 4 million. That gap actually increased from 2021, and will likely increase again when 2023 is fully accounted for.
Despite the overall gap and the acute failures to find enough staff in critical areas, cutbacks are common with 47% of respondents saying they have experienced layoffs, budget cuts or hiring freezes. 31% anticipate more cutbacks in the coming year.
This has led to only 52% of respondents reporting that they feel confident in the ability of their personnel (and their set of tools) to respond to cyber incidents over the next two to three years. This number increases as organizations report problems with filling skill gaps; 58% of respondents say that the biggest factor in restoring confidence is to address these key shortages in specific skills.
In spite of all these sustained difficulties, 70% of the cybersecurity workforce says that they remain highly satisfied with their job. There was a decrease of 4% from the prior year, however, attributed primarily to cutbacks and increasing feelings of job insecurity and overwork. Despite high job satisfaction, more general economic uncertainty seems to be contributing to a small spike in malicious insiders playing a role in breaches. 39% of cybersecurity professionals say that either they or someone they know has been approached by some outside threat actor about a scheme to steal from the company, with recent layoffs seeming to triple the amount of these attempts.
All of the regions of the world saw a boost to their cybersecurity workforce when the numbers are pooled, but certain countries saw small losses of around 1% to 3% overall: Australia, Germany, Mexico and Singapore among them. The gap also increased in some regions, particularly in Latin America (which saw a 32.5% change). Singapore, Australia, the UAE, Mexico and Brazil saw similarly large jumps in their gaps.
In terms of filling cybersecurity workforce skill gaps, money seems to be the first and foremost concern. 48% of respondents that felt their companies did not offer competitive pay also reported critical skill gaps, compared to 31% of those that felt compensation was fair. 42% of all respondents with skill gaps said that they struggled to retain people in these areas due to relatively low pay or lack of promotion opportunities. 41% said that there just wasn’t enough money in the budget, and 32% said that the organization recently had people with these skills but they quit and have not yet been replaced.