What Is The Cybersecurity Talent Gap?
CISOs have many priorities- identifying top technology to mitigate risk, making strategic decisions with the board and also workforce management- ensuring enough cyber talent to fill those positions. Today we will talk about the workforce and what the cybersecurity talent gap means.
If you think about it, every technological advance we make has a security component – especially during our current Internet of Everything. Every connection, every device and every application with an internet connection must have security built into the equation. Having security built into everything means security skills are in high demand.
In 2022 the demand is outstripping supply in both people (talent) and skills – hence our current cyber security (or cybersecurity) skills gap.
This helps explain why cybersecurity had one million unfilled job openings in 2013 – and 3.5 million in 2022, according to Cybersecurity Ventures. The same analyst firm estimates that number to remain constant over the next five years as companies scramble to retain talent by retraining employees.
Security Earlier: The Cybersecurity Talent Assessment
Most people don’t know what they’re good at until they’re exposed to that thing. Hidden talent is everywhere. Your next cyber superstars might already be on the payroll – put yourself in a position to find them.
Few cybersecurity workers started out in cybersecurity. Most had a technology background of some kind…perhaps software development or technology lead at a marketing or PR firm. The point being that as cybersecurity grew, these people rotated into the mix. If someone understands networking or IT, cybersecurity is well within reach. They just need to be upskilled.
Compared with other technology, cybersecurity is one of the more interesting, relevant, and dynamic tech fields. Encouraging people to enter it is not a daunting task.
5 Reasons for the Cybersecurity Talent and Skills Gaps
In this article we’ll discuss the top five reasons for the current cybersecurity skills gap, and how to overcome it.
1. Need For Skilled Professionals
According to Fortinet’s 2022 Cybersecurity Skills Gap Global Research Report, 81% of organizations are looking for people with certifications when hiring. This is perfectly understandable…who doesn’t want to hire pre-qualified talent?
2. Developers and Technology Can’t Keep Up
First they came for the perimeter, so we invested in firewalls, border routers, UTMs and endpoint security. As we migrated to SaaS and cloud environments, entirely new ways to penetrate networks unfolded. Brute force and DDoS gave ground to credential theft and business email compromise (BEC) attacks.
In 2022 there’s an app for everything, and they all connect to the internet. In addition to the usual suspects (games and productivity software) we have applications controlling cars, baby monitors, refrigerators, and pet cameras. Most of these devices run apps connecting to the internet, so app developers must know how to securely write code. Not enough do. In short: too many apps, not enough security.
Adding to this combustible mix is the fact that human beings are still the #1 target of threat actors. According to the World Economic Forum, 95% of successful attacks require employee interaction. According to Verizon, humans are a key driver of 82%. Whether it’s 95, 82 or somewhere in between, it’s clear humans are still the problem in cybersecurity. Given this fertile threat landscape, upskilling and reskilling employees for careers in cybersecurity is key to business survival.
3. Lack of Reskilling / Upskilling
In just 15 years, cybersecurity has moved from back burner afterthought to top of mind in the C-Suite. Given the well publicized and devastating costs of breaches, security is becoming a board-level priority. Globally, 88% of organizations with a board of directors report that board members now inquire specifically about cybersecurity.
As a result of these discussions, 76% of boards of directors globally are suggesting an increased headcount for IT and cybersecurity. Traditionally this means hiring pre-qualified workers from outside the company.
Instead of just throwing money at new people, organizations would do well to “re-skill” and “up-skill” their current workforce. Generally, retaining talent is more cost effective than hiring new talent.
And the simple truth is, sometimes average workers flourish in a new setting within the same company. Maybe it’s their new boss who brings more out of them, or a more challenging role that’s a better fit for their strengths. In fact, your next security superstar might be toiling under your nose right now, in a different position. Do you have programs in place to identify cyber skill sets?
4. College / Higher Ed Not Turning out Job-Ready Grads
While colleges and higher education have made great strides in offering Information Technology curriculums, the cybersecurity discipline specifically has not reached critical mass to keep up with private sector demands. When it is offered, it often graduates students with a solid theoretical background but bereft of “real-world” and actionable skill sets.
According to a recent survey conducted by Statista, only 27% of cybersecurity graduates are prepared for work challenges in 2022.
For students less concerned with theory and more interested in 2022’s threat landscape and real world attack scenarios, programs like ThriveDX Cybersecurity Professional Bootcamp can serve as a viable alternative. It offers the cybersecurity certifications employers are looking for and features a direct pipeline to household name employers.
5. Lack of Diversity
Women account for 47.7% of the global workforce. Yet women held just 25% of cybersecurity jobs in 2021. This represents just one example of the cybersecurity field holding back its own potential.
89% of global companies have explicit diversity goals as part of their hiring plan. Globally, 70% of IT managers see the recruitment of women and new graduates as a top three challenge. In an industry that has traditionally pursued similar candidates in the same geographies (i.e., Silicon Valley), breaking away from this mindset will necessarily involve innovative approaches.
Why Should Diversity Matter?
Why does diversity matter in cybersecurity? Shouldn’t we just hire the best people, regardless of what boxes they check? That’s the entire point. The best business decisions tend to come from the most diverse workforces.
Ask yourself: do all cyberattacks come from white males? Of course not. Our cyber adversaries are diverse. Understanding them will require a diverse set of stakeholders.
Cybersecurity Skills Assessment: Solving the Cyber Talent Gap
How do professional sports teams overcome talent shortages? They do so in one of two ways. They either hire free agents or develop their farm teams / development squads.
Hiring pre-qualified or pre-certified candidates is the business world equivalent of hiring free agents. It might solve your problem today, but it will likely cost you in areas of salary and turnover. Because they haven’t been developed internally, these new hires possess no company loyalty. How long will they be there…until a better offer comes along?
The other approach of course is to develop the talent you have.
15 Years Conducting Cybersecurity Talent Assessments
I spent 15 years developing cyber-recruits for the elite Unit 8200 of the Israeli Defense Force. During that time, I became adept at identifying certain skill sets that transition well to careers in cybersecurity.
Identifying and developing cyber talent is woven into the foundation of ThriveDX’s offerings, including Security Awareness Training and Application Security Training for Developers.
For more information on ThriveDX’s enterprise security training programs, please visit us at https://thrivedx.com/for-enterprise.
Roy Zur is the CEO of ThriveDX’s Enterprise Division and founder of Cybint Solutions (acquired by ThriveDX in 2021). His background in cybersecurity and intelligence stems from his time as a Major in the Israeli Defense Forces, Cyber Unit 8200. Zur has more than 15 years of experience in developing cybersecurity training and education for organizations globally.
Zur also serves as an adjunct professor of risk management in cybersecurity for the MBA-AI program at Reichman University, and is the founder and chairman of The Israeli Institute for Policy and Legislation non-profit.
Protect Your Organization from Phishing
Explore More Resources
Your Trusted Source for Cyber Education
Sign up for ThriveDX's quarterly newsletter to receive information on the latest cybersecurity trends, expert takes, security news, and free resources.