A new report from (ISC)², the world’s largest nonprofit membership association of certified cybersecurity professionals, estimates that the cybersecurity workforce is still facing a shortfall of skilled and trained staff in spite of a general improvement in 2020. Global growth would need to be at 89% to make up for it, with the majority of all organizations reporting that they currently have a staff shortage. This issue is greatly influenced by region, however, as some countries (such as the United States) are facing a much more manageable skills shortage than others. It is also substantially down overall from the findings in 2019, when a 145% growth gap in cybersecurity jobs was reported.
Cybersecurity workforce needs around the world
(ISC)² gathered data from 3,790 individuals responsible for security/cybersecurity at organizations based throughout most of the world’s major economies. Respondents also represented a variety of organizational sizes and industries. The cybersecurity workforce study was conducted from late April to mid-June of this year, emphasizing the response to the then-new COVID pandemic.
As with so many other studies this year, the central theme is the very sudden pivot to having a majority of staff be permanently off-premises. This has necessarily created massive cybersecurity challenges as organizations whiplashed into use of unfamiliar cloud services and were forced to accommodate all manner of personal devices of remote workers. 22% of the cybersecurity workforce had less than one day to secure remote systems, and 47% had no more than a week to make it happen. These numbers were fairly consistent across all of the regions of the world.
In spite of this challenge, there is a general sense of readiness among the organizations surveyed. Much of this seems to be attributable to senior leadership understanding and quickly adapting to these new needs, with 67% of organizations reporting that these executive decision-makers are fully cognizant of the increased security burden that comes with a shift to a remote work model.
One element of the cybersecurity workforce staffing issue appears to stem from the fact that IT professionals often have work elements that must be performed on-premises, such as directly accessing network components. About 42% said that their job could not be performed in its entirety from off-site, 36% said that security would not be effective without a regular on-site presence, and 24% worked in facilities with classified information that required on-site handling. Though it is a necessary element of the job for many cybersecurity professionals, 78% of respondents said they were at least “somewhat worried” about going into the office during the pandemic.
Budgeting has also been a serious issue, particularly for organizations that treat cybersecurity training and spending as a “value-add” item that is among the first to go when a crisis hits. 51% of respondents are concerned about the organization’s technology spending, and 54% are concerned about spending on the cybersecurity workforce. 22% of respondents feel there is a significant shortage of dedicated security staff, and 42% feel there is at least a slight shortage. Only 2% of organizations feel they are overstaffed in this area.
There are substantial regional differences in availability. The largest pool of trained and qualified workers is in the US, and consequently the country only feels that this workforce needs to grow by 41% to close the cybersecurity skills gap. The Asia Pacific region is struggling the most with the workforce gap, with a need for over two million cybersecurity professionals to only 168,000 in Europe and 376,000 in North America.
Low entry barrier and high job security
Some good news is that the bar to entry for new workers interested in joining security teams is not tremendously high. 78% of those in cybersecurity roles report having only a bachelor’s degree, and about 30% of those are not in an IT field. 8% have only a high school degree. Certifications and demonstrable hands-on experience obtained outside of traditional school structures clearly still carry a lot of weight in this field. Organizations also report that 23% of their cybersecurity workforce hires are adult career changers.
Job security in the cybersecurity workforce is also fairly high with the average time spent in an IT role at 11.5 years and the average time working in that role for one company at 6.7 years. And job satisfaction is higher than it is in most other career fields in spite of the added pandemic stresses, with 75% reporting that they are at least “somewhat satisfied” and only 12% reporting any level of dissatisfaction. Global average pay is also quite high at a global average of $83,000 per year, with an average salary of $112,000 in the US in spite of the largest possible pool of qualified workers residing there.
Not surprisingly, cloud computing security is the most in-demand specific skill in the cyber security workforce. 40% of organizations are planning to hire skilled professionals in this area over the next two years.