At a time when cyber risks are proliferating at a faster rate than at any time in history, organizations around the globe are struggling to find talented professionals who can help them defend against these risks. In fact, according to the latest Cybersecurity Workforce Study from (ISC)2, the world’s largest nonprofit association dedicated to IT security, there is currently a massive cybersecurity workforce shortage on a global basis. Around the world, there are currently 2.8 million cybersecurity professionals. Unfortunately, it would take a 145% increase in the number of these professionals in order to fill the current estimated need for 4.07 million cybersecurity professionals.
Key findings of the (ISC)2 report
Overall, the (ISC)2 report presents a very sobering look at the current cybersecurity workforce shortage. Despite steps taken in recent years – such as creating new security certifications and degrees, promoting the need for greater training and up-skilling, and highlighting ways that non-traditional job candidates can make an immediate contribution – very little seems to have been done to address the cybersecurity workforce shortage. In the United States, for example, a current cybersecurity workforce of more than 800,000 is still nowhere close to the number of cybersecurity jobs needed to protect government agencies, Fortune 500 companies, and small and mid-sized business. The current cybersecurity workforce shortage in the United States alone is projected to be 498,480.
The good news, though, is that cybersecurity professionals appear to be quite satisfied with their career choice, and are optimistic about the steps that their organizations are taking to address the cybersecurity workforce shortage. At the same time that 65% of cybersecurity professionals surveyed say that their organizations are facing a cybersecurity workforce shortage, a similar percentage (66%) is either “somewhat satisfied” (37%) or “very satisfied” (29%) with their career. Moreover, nearly half of the survey respondents (48%) say that organizational training budgets will be increasing over the next year.
From a salary perspective, too, there is a lot to be satisfied with, according to the (ISC)2 study on the cybersecurity workforce shortage. The average salary in North America for a cybersecurity professional, for example, is $90,000. And that figure rises to $93,000 for those professionals with a security certification. Presumably, salaries are higher in markets such as Silicon Valley or Washington, DC where cybersecurity hiring needs are very high. Overall, more than half (59%) of cybersecurity professionals today are either pursuing a new security certification (e.g. cloud security), or making plans to do so in the next year.
How to address the cybersecurity workforce shortage
The new (ISC)2 report on the cybersecurity workforce shortage also lays out some prescriptive remedies for dealing with the IT skills gap and boosting overall cyber defense capabilities. In fact, there are four different strategies and tactics that organizations can use in order to build and retain cybersecurity teams. First and most importantly, they can be doing more to highlight relevant training and professional development opportunities. There is a direct link between employee satisfaction, long-term workforce retention and the ability to provide the type of training and development opportunities that employees need and want.
Secondly, organizations should be casting a much wider net for talent. Instead of limiting their search only to applicants with a certain background or with certain security qualifications, they should be more open to the idea of recruiting candidates from tangential industries, sectors and academic qualifications. For example, instead of only hiring recent college graduates with a degree in cybersecurity, they should also be willing to explore the hiring of candidates from tangential fields such as computer science or from community colleges. In many ways, this will require a level setting of expectations, as organizations become better at spotting which skills and qualifications are transferable to cybersecurity.
And, finally, organizations must do a much better job of strengthening teams from within, primarily by investing in cybersecurity training and up-skilling initiatives. Organizations must become much better in sharing institutional knowledge, and distributing it across an entire organization if they are ever going to address the cybersecurity workforce shortage and fill job openings for cybersecurity positions.
Bob Noel, VP of Strategic Partnerships for Plixer, emphasizes the importance of cross-training and promoting from within, “Although there is a well understood cybersecurity skills gap, colleges and universities are not the only answer to this problem. Companies can ease the skills shortage with people already on their payroll. IT functions in most organizations split into network and security teams, which form two distinctive groups, but share the responsibility of reducing risk. The network team has intimate knowledge of networking protocols, normal user and application behavior, and is skilled in investigating and resolving problems.“
According to Noel, “These cybersecurity skills are fundamental to what is needed on the security side of the organization. Many network professionals not only want to learn more about security, but they know that gaining security skills is an opportunity for their own career growth. When organizations embrace this concept, they reveal a career development path for existing employees, reduce security risk with cross-trained employees, and solve the problem of having to go into the highly competitive jobs market.”
Growing signs of a more diverse cybersecurity workforce
One optimistic finding from the (ISC)2 report on the cybersecurity workforce shortage is that the overall workforce is becoming younger and more diverse, possibly a result of organizations widening their search to fill cybersecurity roles. According to the 2019 survey results, 30% of those surveyed are women. And more than one-third (37%) are below the age of 35. A small but growing percentage (5%) is now comprised of cybersecurity professionals under the age of 25. If this trend continues, it means that organizations will be well prepared for the eventual retirement of older IT workers with more formal backgrounds in cybersecurity.
Future key areas to address for cybersecurity training
According to the (ISC)2, there are several key areas that should be front-and-center for the cybersecurity programs of companies, whether they are a nimble tech startup or a huge Department of Defense contractor. In its 2018 report, for example, the (ISC)2 outlined four major areas to focus on going forward: cloud computing security, penetration testing, threat intelligence analysis and forensics.
Moreover, the (ISC)2 outlined some of the key challenges facing organizations as they go about solving the cybersecurity workforce shortage. One of these, for example, is the existence of “unclear career paths.” Quite simply, job candidates are not aware of a typical cybersecurity career, and how to progress from a more junior to a more senior role. Another challenge is a lack of organizational knowledge of cybersecurity skills. And, finally, a third challenge is the actual cost of education to prepare for a cybersecurity career.
Organizations and government agencies that can adapt their training and professional development initiatives to address and solve these challenges will be well on their way to solving the cybersecurity workforce shortage. In a world with an escalating number of threat actors and a widening attack surface, this is a more important priority than ever before.