Narrowing the Stubborn Cybersecurity Worker Gap
The business world for years has bemoaned a persistent gap between the number of cybersecurity jobs that need to be filled and the much fewer number of skilled and credentialed cybersecurity pros to fill them.
According to the most recent report by Cyberseek, the demand continues to outstrip supply, with only enough workers to fill 85% of the cybersecurity jobs in the United States. Essentially, for every 100 such jobs, there are only 85 people to available to fill them. About 225,200 more cybersecurity pros are needed to close the talent gap in a U.S. cybersecurity workforce that now includes more than 1.2 million people and which has expanded steadily over the past several years.
From May 2023 and through April, employers listed 469,930 cybersecurity jobs, with cybersecurity engineers, cybersecurity analysts, and information systems security officers being among the most in demand, according to the Cyberseek numbers.
“Although demand for cybersecurity jobs is beginning to normalize to pre-pandemic levels, the longstanding cyber talent gap persists,” Will Markow, vice president of applied research at Lightcast, said in a statement. “At the same time, new threats and technologies are causing cybersecurity skill requirements to evolve at a breakneck pace, forcing employers, educators, and individuals to proactively anticipate and prepare for an ever-changing cyber landscape.”
Cyberseek is a joint effort between NICE – a NIST framework that describes cybersecurity work and the skills and knowledge needed to do the work – IT certification and training firm CompTIA, and market analytics company Lightcast. Cyberseek’s latest report was presented at the annual NICE Conference and Expo this week.
Things are Improving – Somewhat
The numbers this year weren’t as bad as NICE presented in 2023, when it was estimated that 466,225 cybersecurity workers were needed to fill meet the demand, with only enough workers to fill 69% of the U.S. cyber jobs. A year ago, there were 1.1 million people employed in cybersecurity jobs.
Still, in a rapidly evolving IT world that is becoming more cloud-based and is stretching further out to the edge – and now is quickly being infused with generative AI and all the promise and risk that come with it – the need for cybersecurity workers will only grow. AI itself brings its own pros and cons. The technology will help cybersecurity workers in their jobs, giving them more powerful tools to identify and remediate threats and to automate many of the repetitive tasks in their work. That said, it also will give threat groups similar expanded capabilities.
The demand will continue to exist in the expanding tech sector. According to market research firm Statista, the global cybersecurity market will grow from $183 billion this year – just more than half going to security services – to $273.6 billion by 2028.
Layoffs Raise Eyebrows
Given that, layoffs by cybersecurity vendors like Trend Micro, Orca, Sophos, Zscaler, Secureworks, Proofpoint, and Rapid7 in the first few months of the year drew attention. However, the numbers weren’t as bad as the IT industry in general. Between May 2023 and April, the number of employer job listings for all tech occupations dropped 37%, while in cybersecurity, that number was 29%, according to Cyberseek.
Not all layoffs are equal, according to Ira Winkler, CISO and vice president at CYE, a risk optimization company. In a column in February, Winkler wrote that layoffs are a fact of life in the modern workplace and noted that some companies – even cybersecurity vendors – will let workers go to improve their balance sheets, shed duplicate jobs after acquisitions, or adapt to declining sales.
Some are the result of just terrible managers “whose incompetence and sociopathy deserve nothing but scorn,” he wrote. “However in most cases, there are legitimate business drivers that cause the termination even the best employees.”
Expanding the Talent Pool
There are steps organizations can take to find cybersecurity talent. As far back as 2019, CISA in a report noted that the gap between demand and supply wasn’t solely because the lack of talent but also was an issue of identification. Candidates were being turned away for not having the strict, education, training, and credentials companies were seeking. That could be bridged by identifying people with the right skills and experience who could transfer into cybersecurity.
It’s an idea that Bugcrowd CEO Dave Gerry agrees with.
“Employers need to take a more active approach to recruiting from non-traditional backgrounds, which, in turn, significantly expands the candidate pool from just those with formal degrees to individuals who, with the right training, have incredibly high-potential,” Gerry said. “Additionally, this provides the opportunity for folks from diverse backgrounds, who otherwise wouldn’t be able to receive formal training, to break into the cybersecurity industry providing income, career, and wealth-creation opportunities that they otherwise may not have access to.”
Organizations also need to account for bias that exists in cyber-recruiting and offer apprenticeships, internships, and on-the-job training to create the next generation of talent, he said.
Let the Fish Grow
Ontinue CISO Garth Lindahl-Wise added sabbaticals and job shares to that list, putting some of the onus on enterprises to spend the time and money to help build talent rather than just look for it.
“We must incentivize the hours people put into training,” Lindahl-Wise said. “If it is worth it, it is worth rewarding (think small financial benefits, additional time off for study etc.). Encourage and enabling job shadowing and sharing.”
He added that “technical qualifications are not necessarily the issue. We are fishing in a pool for fish that haven’t had the time to grow to the size we want.”
Such training can also open employees to opportunities available in a cybersecurity career, said Omri Weinberg, co-founder and chief revenue officer at DoControl. Too often the hiring process involves trying to find someone who has all the required skills for a particular position.
“The HR process still isn’t quite there yet when it comes to finding talent in the cybersecurity industry,” Weinberg said. “The gap can be minimized when hiring managers and HR representatives work closely together to understand when a candidate is qualified for a role and is also a fit for the companies’ culture.
Keeping Talent in the House
Organizations also will need to consider what they can do to encourage the cybersecurity pros already in place to stay, said Time Callan, chief experience officer at Sectigo.
“They can provide better environments by embracing modern architectures, implementing new tools like AI, and automating the routine work that takes up too much of IT professionals’ days,” Callan said. “Platforms, such as ITSM and CLM, can take away mind-numbing repetitive tasks, reduce stress, and give tech-savvy employees more reason to stick with their current careers.”
Recent Articles By Author