The tech sector continues to struggle with meeting demand for cybersecurity skills, an issue that appears to be getting worse over time. According to ISC2’s latest Cybersecurity Workforce Study, cyber workforce growth has slowed while the cybersecurity skills gap has grown to a record high of 4.8 million – up 19% compared to a year earlier. A total of 10.2 million security professionals are now required to satisfy demand.
The survey found the global workforce amounted to 5.5 million people, just a 0.1% year-on-year increase, while the labor pool grew by 8.7% in 2023.
This issue persists despite multiple initiatives by businesses, industry organizations and governments. So, why have things got so bad and what can be done to fill the rapidly growing skills gap?
Cybersecurity skills: New technology
The cybersecurity skills gap is partly so bad because cyber attacks are becoming more sophisticated, creating a need for more specialized talent in the industry. Digital transformation has led to increasingly connected networks, growing cloud use and weaknesses attackers can exploit.
The emergence of new technologies such as cloud computing, AI and blockchain has led to a need for “highly specialized knowledge”, which is “in short supply”, says Rob Demain, founder and CEO at e2e-assure. In the meantime, the rapid pace of change in cybersecurity needs has been exacerbated by budget deficits and staff shortages, says Harshul Asnani, president and head of the Europe business at Tech Mahindra.
There is also a lack of interest in cybersecurity from young people entering the employment market, he says. “This means the deficit spans from fresh recruits to top-tier management.”
One of the main problems is the educational pipeline in cybersecurity, says Jill Knesek, chief information security officer (CISO) at BlackLine. To address this issue, she says cybersecurity careers should be promoted at an earlier stage. “It's important to engage high school students or younger and to ensure we are discussing cybersecurity with this generation. It’s a great job with numerous benefits, but one thing people overlook is the multitude of career paths it offers.”
People are also leaving the industry as growing pressure sees security professionals throwing in the towel due to stress. The need for continuous monitoring and response can lead to “alert fatigue”, says Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster university. “This has caused some to leave the field or switch to other roles.”
Cybersecurity skills: Upskilling to skirt budget woes
The state of the economy over the past few years has left businesses tightening their belts, reluctant to spend more on cybersecurity hires. For the first time, respondents to the ISC2 study cited a ‘lack of budget’ as the primary factor driving their staff shortages, overtaking the ‘lack of qualified talent’, commonly cited in previous years.
Taking this into account, CISOs should focus on upskilling their existing teams suggests Akhil Mittal, senior manager, cybersecurity strategy and solutions at Black Duck. “By offering targeted training, certifications and mentoring, organizations can equip their existing staff to handle more complex challenges. It’s faster, usually more affordable and helps the team grow, reducing burnout and increasing retention.”
Upskilling existing staff is “highly effective”, agrees Knesek. “Existing employees already know your business, environment and processes, so it is well worth ensuring they understand any potential vulnerabilities.”
However, the challenge is that because the threat landscape evolves so quickly, continually upskilling staff has the potential to be resource and time-intensive, says Knesek. “You may need to get very strategic and targeted in terms of how and when you deploy training for certain roles and individuals.”
Demain adds that upskilling is an ongoing cost that needs to be considered if a business wants to build an internal security function. But if a business does wish to invest in internal staffing, they should look to the best certifications such as GIAC, SANS and CISSP, he says. “It’s also vital to remember that internal teams need to be educated on the technology they are deploying, such as Microsoft Azure, SentinelOne and [Google Cloud Platform] (GCP),” he adds.
Diversity hiring in tech – factoring in ethnic diversity, gender diversity, and neurodiversity – is another way to bridge the talent gap. Experts point out that diverse teams offer different ways of thinking, giving an overall security boost to the business. Asnani says building a culture of diversity in cybersecurity is key.
“Diverse teams bring different perspectives and problem-solving approaches, which are invaluable when facing complex security challenges.”
Actively recruiting individuals from varied backgrounds — which can be done through partnerships with universities, apprenticeships, or reskilling initiatives — ensures businesses are “filling roles and enriching their teams”, Asnani says.
Cybersecurity skills: Communicating with the board
With constrained budgets adding complexity, it’s important that CISOs communicate the importance of investing in cybersecurity skills. This can sometimes be a challenge in leadership meetings, despite growing CISO influence in the boardroom, as focus can be on profit, not spending more on cybersecurity.
To win over the board, CISOs need to change the way they talk about cybersecurity, says Mittal. “Instead of seeing it as a necessary expense, show how investing in cybersecurity today can prevent much bigger losses tomorrow. The cost of a breach is much higher than what it takes to build the right team and invest in security. When you back up this with real numbers – like the cost of breach or downtime – it becomes much easier to make cybersecurity a top priority.”
For example, says Mittal, instead of asking, “how much will it cost?” the question should be, “how much could we lose if we don’t invest?”
“Shifting the conversation this way really resonates with decision-makers and shows exactly why staying ahead of today’s cyber risks is so important.”
Before asking the board for more money, you first need to demonstrate that you are using the existing budget effectively, says Jim Doggett, CISO at Semperis. “Too many still try to sell fear, uncertainty and doubt (FUD) and not a risk-based perspective.”
Yet as Knesek points out, it’s also worth using newsworthy cyber-attacks as examples of the damage that can occur. “I would also say a good CISO should never let a headline go to waste,” she tells ITPro. “We see examples of breaches every day and the impact these can have on business operations. These are opportunities to communicate the risks we need to mitigate and can help to reframe proactive investment in talent and technology as a potential cost saving.”
