What You Need to Know About the Cybersecurity Workforce Gap
Due to an increase in cyber attacks and a growing threat landscape, the cybersecurity workforce gap continues to widen.The (ISC) 2022 workforce study found that 464,000 individuals joined the cybersecurity workforce over the last year—bringing the total number to 4.7 million people across the globe. So, the good news is the cybersecurity workforce is growing.
Unfortunately, the gap is growing even faster. In fact, despite these numbers, there’s still a global cybersecurity workforce gap of 3.4 million people.
It’s easy to look at these numbers and think that there just aren’t enough people to keep up with the industry at the rate it’s growing, and while that is part of the issue, there’s also evidence that this may be more of a skill shortage than a talent shortage.
Let’s break it down.
Skill Shortage vs. Talent Shortage: What’s the Difference?
A talent shortage is when there simply aren’t enough human resources to get a job done. A skill shortage is slightly different—there may be enough people on the job, but as the industry evolves and cyber attacks become more complex, cybersecurity professionals don’t have the skills to combat them.
Fortinet’s 2022 Cybersecurity Skills Gap report found that 60% of organizations struggle to recruit cybersecurity professionals, and 52% struggle to retain them. What’s more, that same survey found that 81% of leaders prefer to hire people with certifications, and 78% find it hard to find certified people.
A growing threat landscape and developing technology is a major contributing factor. Cyber attacks are becoming more difficult to detect and defend. According to the International Security Journal, the number of new ransomware variants in 2022 increased by nearly 100% in just six months. Tactics used by cyber criminals are evolving at an alarming rate, and businesses need security professionals who can adapt alongside them.
How Is It Affecting Businesses and Professionals?
Organizations everywhere have felt the effects of this shortage. Fortinet found 80% of organizations worldwide suffered one or more breaches that they could attribute to lack of cybersecurity skills, and almost 40% suffered from breaches that cost them more than $1 million to remediate.
Those in the cybersecurity industry have felt these effects too. Understaffed companies resort to overworking the talent they do have, increasing burnout rates and reducing overall effectiveness. Many respondents to ISC’s 2022 workforce study said they were lacking support from executives and felt they had too many emails and tasks at work.
This can result in low employee engagement and a more negative culture—not to mention an increase in data vulnerabilities.
How Do We Fix It?
We’ve gone over the numbers and pinpointed some potential causes. So, now what? Let’s take a look at a few things both employers and job seekers can do to close this gap.
Develop Pathways for Novice Professionals
Starting with young workers just entering the workforce allows companies to build their own security professionals that can address their specific needs and have the necessary skills when the time comes. This means investing in training and education for new hires and staying vigilant in leveling up the skills of current professionals.
Here are some training resources:
ISC has pledged to train one million people in Cybersecurity for free to help them get their start in the workforce.
Funded entirely by scholarships, SANS Cyber Immersion Academies prepares students to pass multiple industry-recognized certification exams in six months.
Fortinet offers a range of free cybersecurity training courses, including on demand labs and self-paced courses.
A few certifications to explore for entry-level positions:
CompTIA Security+
SSCP (Systems Security Certified Practitioner)
GIAC Security Essentials (GSEC)
ISACA Cybersecurity Fundamentals
And for professionals looking to level up, consider these:
CISSP (Certified Information Systems Security Professional)
CCSP (Certified Cloud Security Professional)
CISM (Certified Information Security Manager)
Understand Recruiting Processes
Many “entry-level” cybersecurity positions require a few years of work experience—meaning the position isn’t truly entry-level. Managing expectations and knowing how to attract the type of talent a company needs can make a huge difference in finding the right fit.
Create Inroads From Other Departments
For decades, cybersecurity professionals have mostly transitioned from IT. However, ISC found that those numbers change as they look at younger professionals. In fact, nearly half of respondents under the age of 30 move into cybersecurity from a career outside of IT. Keeping the pathway between IT and cybersecurity intact should be a top priority for companies looking to maximize the resources they currently have.
“Many security engineers come up through IT," says Drata CTO Daniel Marshalian. "They know the systems, how they work together, and through training—internal or external—they get more and more into cybersecurity. This is a great career path for young professionals in IT. Sometimes it’s all about doing instead of attaining a formal degree. Especially since cybersecurity degrees aren’t the most popular curriculum at four-year research universities.”
Embrace Diversity, Equity, and Inclusion
70% of IT managers see the recruitment of women and new graduates as a top three challenge, according to Fortinet. A diverse security team gives businesses a better chance at understanding and thinking like cyber attackers, strengthening detection and prevention efforts.
Not only will a strong DEI program help companies reach a wider range of qualified candidates, but research also shows that diverse teams are generally more innovative—a crucial characteristic when facing complex challenges and attacks.
According to Lauren Zabierek, executive director of Harvard Kennedy School of Government’s Cyber Project, and Algirde Pipikaite, strategic initiatives lead at World Economic Forum, “the lack of diversity blinds us to the myriad ways that actors can attack us and robs us of the talent and engagement of important parts of the global population.”
Automate Wherever Possible
As the volume of cyber threats continues to rise, cybersecurity professionals have shouldered the burden of recognizing, interpreting, and addressing each of them—often on their own or in a small team. Many companies are not scaling their staff or their technology to meet the increased need, leaving their teams understaffed and overworked. The result is unhappy, burnt out employees at risk of quitting or leaving the field altogether.
The ISC study asked cybersecurity professionals who quit their job in the last two years what their biggest reason was for doing so, and 21% said they felt burnt out, 19% cited a bad work/life balance, and 14% said their team lacked resources and budget.
Automating your processes where you can will give your cybersecurity team the best chance for success while ensuring they maintain a balanced workload. Drata continuously monitors security controls, detects and responds to threats automatically, and bakes security checks into the software. Not only does this keep your company protected, but it also streamlines and organizes processes for your cybersecurity team—making them that much more efficient.
As cyber attacks and data breaches reach an all-time high, having a strong, effective cybersecurity team is more critical than ever. Facilitating the learning, education, and pathways for the emerging workforce not only helps close the widening gap, but it reduces the threat to businesses and their customers on a global scale.
To automate cybersecurity processes and help keep your company protected from cyber threats, book a demo today.