Current Landscape
The skills gap in cybersecurity has been a hot topic for over 10 years now. Individuals are willing to enter the cybersecurity industry, but companies rarely give those individuals seeking an entry-level position a chance. The reason for that is the presence of automation that focuses on covering the role and responsibility of entry-level positions that include many mundane, repetitive tasks and focusing on hiring individuals with more experience that can solve complex tasks. Based on the Life and Times of Cybersecurity Professionals 2021 research report presented by ESG, it has been challenging for organizations to hire and recruit mid-career professionals (4-7 years on the job experience) and senior professionals (7+ years on the job experience). This is in line with the argument that while it’s easier to hire for entry-level positions, the demand lies among the more skilled professionals.
“If we wanted the cybersecurity market to have a supply and demand ratio in line with the broader market, we effectively have to double the cybersecurity workforce overnight.” – Will Markow, VP of Applied Research at EMSI | Burning Glass
Keep reading to learn more about the cybersecurity skills gap with contributions from Will Markow, VP of Applied research at EMSI | Burning Glass, who leads the custom research and consulting team focusing on the impact of emerging technologies on the workforce and the key trends and challenges facing the cybersecurity workforce through the CyberSeek initiative.
Fast Facts about the Current Skills Shortage In the USA
We’ve covered that the skills gap has been a topic of focus for quite some time now, but how big is the issue exactly and what has been the impact?
CyberSeek 2021 Stats:
- The global cybersecurity workforce gap stands at 3.1 million in 2020
- The total employed cybersecurity workforce across the United States sits at approximately 956,000
- There are currently approximately 464,000 annual cybersecurity jobs openings across the United States
- CISSP is the most requested cybersecurity certification, being in over 100,000 opening every year but there are only 90,000 CISSP certified individuals in the entire country
- Some of the top job titles requested by employers include
- Cybersecurity Analyst, Consultant, Manager
- Software Developer
- Systems Engineer
- Network Engineer
- Penetration & vulnerability Tester
“Ever since we started Cyberseek we’ve seen a continuous trend of hiring difficulty in the space and there are not many signs of that talent shortage lightening up anytime soon.” – Will Markow
ISACA 2020 State of Cybersecurity report:
- Fewer than half of cybersecurity applicants are well qualified (according to 70% of respondents)
Organizations have also been feeling the pain, revealing that the skills crisis has impacted 57% of the respondents. Those organizations that have been impacted shared that the top ramifications include increasing workload on personnel, new jobs remain unfilled for weeks or months, high burnout among staff and attritions and the inability to learn or use security technologies to their full potential.
“A big pain point for employers is trying to fill cybersecurity job positions. On average, they take about 21% longer to fill than other IT jobs, which are already among some of the hardest to fill jobs in the market.”- Will Markow
Many organizations also make basic mistakes when it comes to hiring and recruiting professionals in the industry. 29% said their HR departments don’t understand the skills needed for cybersecurity, so there’s a high likelihood of gaps being present in teams.
“About 85% of cybersecurity jobs are calling for a minimum of three to five years of work experience, so by not offering more entry-level jobs there is limited opportunity for employers to build their pipeline of cybersecurity workers and help grow the next generation of cyber professionals.” – Will Markow
According to cybersecurity professionals, the responsibility for taking the necessary actions to address the impact of the skills shortage lies on the CISO/CSO, executive management and VP of HR or similar positions.
The Need for Continuous Training
A simple change that organizations can make to address this industry issue is to offer cybersecurity career advancement opportunities and commit to increased cybersecurity training across the organization, which is also what 59% of professionals are asking for.
“Employers should rethink their hesitance if they currently are not training their workers or investing in their career development, because we found that it can be an effective retention tool.” – Will Markow
The cybersecurity industry is a dynamic space that is constantly evolving, given the rapid technology changes and attack vectors, so individuals tasked with protecting an organization may be operating on outdated knowledge.
Cybersecurity professionals must keep their skills fresh and seek out the latest information about security, network vulnerabilities, and the latest capabilities; otherwise, organizations they work for are at a disadvantage to the cyber adversaries. Additionally, adversaries utilize AI to create more sophisticated attacks, even applying it to information captured and posted to the dark web. Organizations need to be more open to leveraging similar technology to protect themselves better and up-skill their teams. AI and analysts can work hand in hand, rather than independently, to understand an analyst’s unique skillsets and contextual awareness and optimize their workflow automatically to enhance their performance.
Another factor that adds to the skills shortage and why training efforts haven’t advanced in the space is the conflict between the need for training and the time actually allocated to training. According to 59% of cybersecurity professionals, it’s because of the high demands of their day-to-day jobs that get in the way of proactive education.
On the Job Training
“Certificates can be an effective signal to employers that someone has experienced within cybersecurity, and they have the right skills to perform the job, but there’s a problem when that becomes the only way to demonstrate that you have competence in the cybersecurity field.” – Will Markow
Without continuous cyberlearning, professionals fall behind and are considerably less effective in as little as 3 months. It has always been taught that hands-on experience provides more value than classroom learning and 52% of cyber professionals agree that hands-on experience is more important than certifications, while 46% place equal importance on hands-on experience and certification achievements. But, since it’s difficult for them to take the time to absorb new information and complete additional training due to the job demands, there needs to be a shift towards on the job training.
Organizations can leverage technology to put data to work and get visibility into where their cybersecurity team’s skills lie and visualize unique characteristics based on the problems and incidents they resolve. Understanding how a team solves problems in almost real-time helps trainers or senior leaders understand what the best performers are doing so that knowledge is shared across the team and where there is room for improvement so it can be addressed right away. Having access to this type of data and insights into your team will help fix the issue around hiring and allowing HR professionals to know the skills they should be looking for when hiring to fill any gaps a team has. In conclusion, hiring more analysts can’t always be the answer, and organizations need to focus more on upskilling their current teams to protect themselves against cyber-attacks.
References:
Dawson, J., & Thomson, R. (2018). The Future Cybersecurity Workforce: Going Beyond Technical Skills for Successful Cyber Performance. Frontiers in psychology, 9, 744. https://doi.org/10.3389/fpsyg.2018.00744
ESG Research Report, The Life and Times of Cybersecurity Professionals 2021, Volume V, July 2021
ISC2 Cybersecurity Workforce Study 2020. https://www.isc2.org/-/media/ISC2/Research/2020/Workforce-Study/ISC2ResearchDrivenWhitepaperFINAL.as
CyberSeek – https://www.cyberseek.org