There are not enough workers with sufficient cyber security skills to meet the demand of employers. You’ve probably noticed that this type of claim is repeated often. But just how accurate is it - and what does it mean for people who want to reskill or upskill in this area?
We’ve been digging into the current employment market to uncover the hard facts surrounding the cyber security skills gap. Read on to discover whether - and to what extent - this gap really exists, what the gap actually consists of, and what you should be doing to take advantage of the cyber security demand that’s out there.
Understanding the Cyber Security Skills Gap
Here’s a closer look at what the cyber security skills gap means and at the main factors that could be driving the need for cyber security expertise.
Defining the Gap
In broad terms, the cyber security skills gap usually refers to the deficit between the skills organizations require to manage their cyber security and the skills available. There are several elements to this:
- Organizational skills gaps. This refers to the fact that an organization’s current workforce may lack particular required skills. This might include an absence of fundamental technical knowledge and experience, as well as practical know-how in relation to specific areas (e.g., penetration testing or incident response management).
- Skilled labor shortages. Put simply, organizations struggle to recruit people with the skills they need because there are not enough people with those skills to go around.
- Individual skills gaps. Individual employees and potential recruits lack the training, knowledge, experience, and qualifications employers stipulate as required.
What’s Driving the Need for Cyber Skills?
Digitization and the shifting of value
Whether you’re a national government or a small business, one thing’s for certain: you’ll always take extra care to safeguard the things that are most valuable to you. Increasingly, these assets are intangible: i.e., they don’t have any physical embodiment.
Far more than in the recent past, it’s now the norm for a company’s intangible assets - e.g., customer data, internet presence, proprietary software, and patents - to be worth way more than, say, its inventory, buildings, and equipment. In fact, one analysis showed that intangible assets currently make up 90% of the assets of all S&P 500 listed companies (up from 68% in 1995).
When companies grow or innovate - e.g., through new platforms or product offerings - it almost always results in the creation of even more intangible (mostly digital) assets. It means that an increasingly large technology stack comprising devices, servers, networks, and data must be secured to protect organizational value.
In short, organizations want the people and skills necessary to protect the assets most important to them. Given the continued rise of digitization and the creation of new intangible value, a growing demand for cyber security skills is pretty much inevitable.
An evolving threat landscape
Criminals realize that there are rich pickings to be had in all those assets that are held digitally. So, it’s hardly surprising that an estimated 86% of cyber crimes are committed for financial gain.
When it comes to tools and tactics used, these criminals don’t stand still - and potential vulnerabilities and attack vectors are always emerging. Here are just a few illustrations of this:
- A record 26,448 security flaws were recorded on The Stack’s catalog of Common Vulnerabilities and Exposures (CVEs) in 2022. The number of critical vulnerabilities was up 59% compared to 2021, at 4,135. CVEs do not translate automatically into exploits. However, the continued uncovering of bugs and errors in operating systems and applications highlights that there are always fresh weaknesses for criminals to potentially take advantage of.
- In 2021, there was a 73% increase in unique malware variants. It was estimated that cyber criminals were releasing an average of 1,126 new malware versions per-day.
- In summer 2022, there were almost as many conflict-related DDoS incidents in EU countries as there were in Ukraine (85 versus 86). The majority came from pro-Russian hacktivist groups.
- Earlier this year, Darktrace reported a 135% increase in malicious email campaigns demonstrating very advanced use of language. It shows how adept cyber criminals can be in putting things like generative AI to work: in this case, Chat GPT to create ever-more convincing phishing scams.
Organizations will always need up-to-date skills and knowledge to manage fresh threats, new cyber tools and techniques, geo-political events, and advanced methods of attack.
The compliance element
Being lax on cyber security is no longer an option. Organizations increasingly have regulators, investors, and customers checking up on them to make sure they are doing the right thing.
With the General Data Protection Regulation (GDPR) in Europe, and similar legislation in place across the globe, businesses and other organizations need to be able to point to adequate measures in place to ensure data - particularly personal data - is safeguarded.
There are also tighter rules in place surrounding things like mandatory breach reporting, record keeping, and risk assessments. This means that the management and governance element becomes just as important as the front-line operational side of cyber security.
The upshot? If a business wants to be seen as a safe pair of hands, relying on an all-purpose ‘IT guy’ to handle all things cyber-related isn’t a good look. To avoid reputational damage and possible regulatory sanctions linked to cyber events and data breaches, organizations increasingly need to be looking at bringing on board dedicated security expertise.
Is the Cyber Security Skills Gap a Myth?
We’ve touched on the factors that might be causing or contributing to a cyber security skills shortage. But is the cyber security skills gap actually there? Here’s what the recent statistics show…
Global and Regional Gaps
- According to the 2022 (ISC)2 Cybersecurity Workforce Study, the global cyber security workforce is at an all-time high, comprising an estimated 4.7 million professionals.
- Globally, an estimated 3.4 million more cyber security workers are needed to meet the needs of employers. This labour shortage-induced gap increased 26.2% compared to 2021.
- 70% of respondents said that their organization does not have enough cyber security employees.
- More than half of respondents gave the opinion that staff and skills deficits put their organization at moderate or extreme risk of cyber attack.
- The 2023 Fortinet Cybersecurity Skills Gap Report suggests that 56% of organizations struggle to recruit and 54% struggle to retain cyber talent.
- 83% of executive boards were focused on increasing cyber security headcount in 2022, compared to 76% in 2021.
- The shortage of talent makes recruitment a long and difficult process for employers. One in five hiring managers say it takes more than six months to find qualified cyber security candidates for open positions.
- Cyberseek data suggests that the US cyber security workforce currently consists of 1,129,659 workers (based on April 2023 data). The size of the workforce has increased by 57% since 2010.
- There were 663,434 online US cyber security job listings for cyber security-related positions from May 2022 through April 2023. This has increased 77% since 2010.
- The cyber security workforce supply/demand ratio is currently calculated at 69%. This means there are only enough cyber security workers in the US to fill 69% of the jobs that employers demand. The historical supply/demand ratio pattern is as follows:
- India’s cyber security employee base doubled from 100,000 in 2021 to 210,000 in 2022 and is expected to reach 300,000 in 2023.
- TeamLease Digital found that in May 2023, there were 40,000 open cyber security job opportunities in India. The demand-supply gap is expected to reach 30% by the end of 2023.
- This gap increased by 26.2% year-on-year in 2022.
- Specializations in the areas of data privacy, cloud security, AI security, and network security were found to be in particularly high demand.
- The European Union’s Cybersecurity Higher Education Database (CyberHEAD) shows that the number of new cyber security graduates per annum in the EU grew 25% in the last two years.
- However, the cyber security workforce shortage across the EU is estimated at 300,000: a gap that cannot be closed with the current flow of graduates.
- Microsoft’s analysis of LinkedIn data for 2021 showed that the demand for cyber security skills grew by an average of 22% in that year alone across 12 European markets. This growth in demand was highest in Poland (36%), Germany (32%), and Romania (31%).
- The EU Agency for Cybersecurity (ENISA) concludes that this workforce shortage cannot be covered without investment in re-skilling and upskilling.
Most Needed Cyber Security Skills
According to Fortinet’s global study, cloud security is currently top of the list of the most needed cyber security skills, as well as being the hardest to fill roles for organizations.
Impact of the Cyber Security Skill Shortage
Evidence suggests that the cyber security skills gap poses a direct risk to organizations, jeopardizing their ability to reduce the likelihood of a successful attack and to respond to breaches when they do occur.
- 84% of organizations experienced one or more breaches in 2022, up from 80% in the previous year.
- 29% had five or more intrusions in 2022, compared to 19% the previous year.
- It seems that the financial implications of cyber attacks are becoming more severe. 48% of organizations who had experienced breaches in 2022 said that a breach had cost more than $1 million to remediate, up from 38% in 2021.
- Many organizations identify a direct link between the skills gap and the vulnerability of their cyber security posture. 68% consider themselves as facing additional risks because of cyber security skills shortages.
How Does the Skills Gap Affect Aspiring Professionals?
Forward-thinking employers are rethinking their assumptions on recruitment and training: a trend that will only increase as skills shortages persist. With employers becoming less rigid in their approach to things like formal academic education, this should make the profession far more accessible.
Taking Advantage of a Seller’s Market
ISACA found that 60% of hiring managers were finding it difficult to retain qualified cyber security professionals last year, up seven percentage points from 2021. The most common reasons for workers leaving their jobs were as follows:
- Recruited by other companies (59%)
- Poor financial incentives regarding salary or bonus (48%)
- Limited promotion and development opportunities (47%)
- High work stress levels (45%)
- Lack of management support (34%)
When it comes to skills, it’s definitely a seller’s market. The continued skills shortage means that once you’re established in a cyber role, you’re potentially in a strong bargaining position. If pay, prospects, and conditions are falling short with your current employer, there is almost certain to be other options available.
Non-Traditional Routes into Cyber Are Becoming More Viable
The existing, established cyber workforce tends to have high levels of formal education. The (ISC)2 study from 2022 showed that of 11,000 global security professionals surveyed, 43% had a master’s degree or equivalent. About half of these degrees were in computer and information sciences and around 15% engineering disciplines.
However, the ISC(2) research also shows that new entrants to the cyber profession are much less likely to have followed the traditional four-year computer science degree route. Almost half of respondents under the age of 30 move into cyber security from a career outside of IT.
When it comes to college education, it seems to be getting less common for employers to lay down formal requirements. For instance, last year, 52% of organizations told ISACA that they require new cyber workers to have college degrees, a six-point decrease from 2021.
Certifications Grow in Importance
The absence of a traditional computer science degree may no longer be a deal breaker if you’re looking for a job in cyber. However, it seems that employers still want to see proof that applicants have solid, up-to-date knowledge before they hire. Cyber-focused certifications are therefore a must-have requirement in the eyes of many hirers.
- In 2022, 90% of leaders said they prefer to hire people with certifications, up from 81% in 2021.
- 72% of leaders said that hiring certified people has increased security and awareness within the organization.
- For hirers, CompTIA Security+ seems to be the most in-demand certification for junior roles. CISSP (Certified Information Systems Security Professional) is the certification most frequently stipulated for more advanced positions.
When Employers Are Looking for Unicorns - and How to Respond
“Too many organizations hiring cyber security talent are looking for unicorns - those candidates who can check off every single box on the application form.”
This point was raised in a Cybersecurity Dive article earlier this year. If employers continue to be unrealistic in what they expect from new hires and fail to provide upskilling opportunities for existing employees, then continued organizational skills gaps are inevitable.
Mandated work experience requirements can be a particularly annoying sticking point. Even for very junior-level positions, it’s not unusual for job postings to stipulate the need for experience, leaving you with a conundrum: how do you get the experience employers want if they’re asking for experience to get through the door in the first place?
This is just one of the hurdles the StationX Accelerator Program is designed to help you overcome.
Suitable for beginners and experienced cyber professionals alike, highlights of the program include access to 29 strategies for gaining experience, mentorship, and assignments that will help you demonstrate precisely the type of practical know-how that employers are looking for. Learn more here.
Strategies for Taking Advantage of the Skills Gap
For existing and aspiring cyber security professionals, the focus should be on addressing your personal skill gaps to take advantage of the opportunities out there. Here are some tips for getting this right…
Consider Cyber’s Hottest Demand Areas
It’s definitely worth giving special consideration to those areas of cyber where demand is strongest. A few areas to look at include the following:
Plan Your Next Accreditation Move
We’ve seen that employers tend to value cyber-specific certifications when sizing up applicants. However, with so many certifications out there, it’s important to isolate the ones that are the best fit for your own needs - and that are most sought-after by employers. Our certification matchmaker is a useful starting point for honing in on the right certification for you…
Highlight Your Broader Skill Set
If you are approaching cyber security from a non-technical background, this doesn’t necessarily have to be an impediment to recruitment or advancement. In fact, particularly against a backdrop of labor shortages, the opposite is true.
Hirers recently told ISACA that they look for a wide range of skills in cyber security applicants, including soft skills such as communication (cited as crucial by 57%), critical thinking (56%), and problem-solving (49%).
ISC(2) found that 18% of hiring managers in large organizations are now recruiting raw talent for junior cyber security roles from a diverse range of often non-technical job functions: areas such as help desks, HR, customer service, and communications.
So whatever your background - whether it’s general IT, retail, customer service, business admin, or a host of other roles - think carefully about what crucial soft skills you already have and make sure that these often highly-prized attributes are showcased on your resume.
The cyber security skills gap is real and looks set to be with us for the foreseeable future.
In response, organizations have no real choice but to rethink their strategies to attract and retain cyber talent. It means, for instance, ditching a traditionally narrow view of what makes a suitable candidate for entry-level and junior roles. It also means encouraging existing employees to boost their credentials so they can climb the cyber career ladder and continue to meet the changing needs of the business.
This is all good news for existing and aspiring professionals - but only if you can plug any personal skills gaps you may have. This includes, for example, gaining those all-important ‘most-wanted’ accreditations, getting help from mentors, and practical projects under your belt to compensate for an absence of formal work experience.
Plenty of opportunities are out there. However, seizing them requires you to act smart! A great way to begin is to get access to mentorship, a customized career roadmap, top-rated courses, and more with the StationX Accelerator Program.