The Cyber Security Skills Gap is Getting Wider…

For any IT security specialist who’s due a pay review, recently published threat reports make worthwhile reading. The latest annual roundup from FireEye confirms the Cyber Security Skills Gap as one of the biggest risks facing businesses. Specialists in this area are dubbed a “scarce resource” – and (assuming they know their stuff) are definitely worth hanging on to…

Here, we take a closer look at what’s driving this gap – and what this means for businesses, employees  and anyone who’s thinking about topping up their cyber security credentials…

The skills gap: what are we talking about?

The research in question is the M-Trends 2018 report from FireEye subsidiary, Mandiant, based on the company’s investigations into targeted attack activity in the year up to October 2017.

The message is as follows: there’s a deficit in the availability of information security personnel – and this shortage is expected to get worse over the next five years. This assertion is drawn from Mandiant’s own engagements with organisations. It’s also supported by intel from the US National Institute for Cybersecurity Education (NICE) which reported that 285,000 cyber security roles went unfilled last year in the US alone.

Mandiant estimates that it takes 9-12 full-time employees to keep an enterprise-level cyber defense center manned around the clock. Especially for bigger companies, there’s a drive to adopt “a more proactive security posture” and develop their own capabilities in areas such as malware analysis, threat hunting, automation and threat intelligence. All of this drives the demand for more staff.

ESG’s annual global survey on the state of IT paints a similar picture. Based on data from North America and Western Europe, it shows that infosec comes top of the list of tech-related roles where businesses are experiencing a “problematic shortage” of skills.

The ESG data shows how the gap has been getting bigger over time. Back in 2014, 23% of respondents reported a problematic shortage in recruiting cyber security skills. By 2018, it was up to 51%.

What’s driving the shortage?

We’d suggest several factors…

The compliance element: data security becomes a bigger priority

On the one hand, greater automation/orchestration and the use of advanced analytics helps IT cyber security departments to cover more ground with fewer resources.

But at the same time, ever-greater numbers of businesses feel the need to invest in specialist in-house cyber security skills. Regulatory compliance is undoubtedly driving this. This is especially the case for organisations with an EU customer base, as businesses grapple with the implications of the General Data Protection Regulation (GDPR).

Where security breaches involve personal data, GDPR ushers in mandatory breach reporting for the first time. There are also tighter rules in areas such as record keeping and privacy impact assessments – along with a tighter fine regime.

The upshot? Many businesses who haven’t previously considered it necessary to bring on board dedicated cyber security expertise are changing their minds.

The education element: getting the right training

If you’re a Computer Science graduate, try and think back to what you actually covered, security-wise. Chances are, there was a module along the lines of ‘Internet Architecture & Security (or something similar), which covered broad models of security and management of security issues from a theoretical point of view.

So is this enough for you to begin to grapple the real-life security issues faced by organisations? Hardly…

Speaking to Computer Weekly, Canon’s information security director, Quentyn Taylor described how many would-be candidates for security roles “have a lot of certifications, but have very little real-world experience, or good advanced technical skills but they are missing the soft skills and basic skills.

If they are serious about developing and keeping hold of cyber security talent, businesses need to offer meaningful, hands-on continuing professional development. And if your employer isn’t making this happen, professionals should think seriously about taking matters into their own hands, training-wise.

The attrition element: can you cut it?

You’ve been putting in the 12-hour days. You spend so much of your time troubleshooting, there’s no time for professional development. And to top it all, there’s no sign of your employer bringing on board the extra help you’ve been asking for…

Job fatigue is a very real problem in the cyber security world. Almost two thirds of pros in this area say that skills shortages have increased the workload of existing staff – and 38% say that those shortages have led to high burnout rates and staff attrition within their organisations. Unless it’s addressed, all of this is going to fuel the fire of existing shortages.

What next?

In the UK, roles linked to cyber security are expected to see a 7% salary increase this year; one of the biggest hikes in the IT sphere.

It means that businesses that fail to provide their people with the support (and remuneration!) they deserve are likely to find themselves at the sharp end of the skills gap.

And as for anyone who’s thinking of moving into this area, it’s clear that the rewards are out there. ​Check out our Cyber Security Career Guide to ​for the best ways to start a career.

Level Up in Cyber Security: Join VIP Membership Today!

vip cta image
vip cta details
  • Nathan House

    Nathan House is the founder and CEO of StationX. He has over 25 years of experience in cyber security, where he has advised some of the largest companies in the world. Nathan is the author of the popular "The Complete Cyber Security Course", which has been taken by over half a million students in 195 countries. He is the winner of the AI "Cyber Security Educator of the Year 2020" award and finalist for Influencer of the year 2022.

  • Michael Hinojosa says:

    I have taking one of your courses and need to finish 2 more. Which courses do you offer that have hands on training for cyber security?

    • Nathan House Nathan House says:

      They all have practical lectures and labs. Can you be more specific?

      • Rachel Hankerson says:

        I am a Systems Developer, May I speak with you personally about your services, to make sure that my technology has all of the needed security to protect data, software, and hardware?

  • Mello says:

    There are very valid points made in the article of which I do agree as to why there is a projected hiring gap increase. One thing to point out and it’s been my own personal struggle- is the experience requirement. Knowing that there is a shortage and many cybersecurity professionals are comfortable in their job, where do you expect some one with 10+ years in Cybersecurity or similar roles of experience to come and apply? I only have education in Cybersecurity, there are not a lot of companies that provides the opportunity to get in the cybersecurity field and grow with just that. Earning my MS was hands on but I haven’t been able to use any of my skills because of the lack of experience I have been able to acquire. If the years of experience required outweighs the knowledge required that gap will continue to increase.

    • Nathan House Nathan House says:

      This is a good point and well known to me. Companies do want experience.

      Check out my career guide for how to get around this issue through profiling your skills.

      • Ajay says:

        Dear Nathan,

        I am also having the same issue that Mello pointed out here. I am from Canada and the Employers here are asking minimum of 10 Years or so to get a step in cyber security space. Please guide me how to break this barrier. Please advice on how to get your career guide online.

        As a student of yours I would like to request you to create some cyber security courses where we can get a deep dive practical experience for Information security professionals or SOC professionals. Many companies here are also asking for IAM skill-sets too. Looking for your guidance and support.


      • German Quezada says:

        Another point, 20+ years in the field, 8 years in cybersecurity but nobody wants to hire me in it because of the lack of experience, I have had a few “security” jobs here and there but nothing major, companies want someone with experience but are not willing to take someone to get the experience!!!! so what gives?

    • Joe says:

      I Agree. Even though I agree with you 100%, take into account that these major corporations have a lot to protect. Exposing their Network system and investing in the security skills of someone new is what I think they are worried about. Of course since it takes around 6 to 8 security professionals to secure most large network systems money is an issue too. I feel the solution is to hire someone who has degrees and certifications and some experience in cyber security on a contract basis so they’re in vestment will topple and the security professional feels like they have job security during the challenging times of getting acclimated and learning new skills in cyber security, Like continued education.

  • Steve says:

    Nathan, I have used Android phones for the last couple years and have always felt like my privacy has been at risk. I have always tried to avoid giving my information up but nowadays with smart phones having constant location tracking and apps asking and requiring you to give up permission to use them I don’t see how its possible to get a grip on your privacy at all. Do you have any recommendations on what to do whether to stay away from android and find a better phone brand, or to download a certain security app or what does it take?

    • Nathan House Nathan House says:

      Privacy with mobile phones is best efforts only. I cover this in volume 3 of my complete cyber security course. Android is currently pretty poor for security too. iphone is better but that’s because it’s a closed system.

  • Caflix says:

    Really blessed to be a part of this community. Thanks Nathan.

  • Chetan says:

    Sir , how can a fresher get into cyber security because companies do need experience and I don’t know how to get it if the company doesn’t hire you for a cyber security job.Any suggestions ???? How much do these certifications weigh in the real world because I far as I know these certifications need to be done again after a few years????

  • Mike Ng says:

    Hello Nathan. What do you suppose they meant when they said security candidates were “missing the soft skills and basic skills.”

    • Nathan House Nathan House says:

      Soft skills- personal attributes that enable someone to interact effectively and harmoniously with other people.

      Basic skills- I can only guess that they mean obvious skills a sec pro should have. Like knowing security is about risk management and not fixing all issues.

  • Thomas Arillotta says:

    Loved the post. Most informative!

  • Robert says:

    Thanks for having me here Nathan!

  • Chris says:

    I’d add to that ‘The unrealistic recruiter element’

    I’m a tech with nearly 30 years experience in IT leading to senior roles. I’ve spent the last 5 qualifying and retraining myself in security but recruiters ask for ’10 years experience in a SOC’ and so on. There aren’t many companies willing to look at re trainees, especially older guys like me.

  • badero tolu says:

    what if i do not have a computer science degree can i still enter this line of work with certifications

    • Nathan House Nathan House says:

      This is a very common question. Strictly you do not need one, but it will help. This is covered in more detail in my career guide.

  • Jackie Horn says:

    Good Evening,

    I am a new college student going to school for cybersecurity. I am a 33-year-old female and have no military affiliation. I am worried that with no military, my age, and being a female that I will have more obstacles than others. Do you agree?

  • Nicole says:

    28 yrs female here entering cyber security retiring this overly saturated career path of UX UI. Am I too late and are there too many odds against me (lack of experience in years, etc.)?

  • Alishia says:

    Cybersecurity today is considered as the hottest industry to be a part of and resources are also available at your fingertips. This is a continuously evolving industry, and there is a demand for incredible talent with varying skills.

  • Joseph says:

    “…many would-be candidates for security roles “… are missing the soft skills and basic skills.” Assuming so; look at most job descriptions for security roles – do they make sense? Most info. security directors display no grip of whatever challenges they have on their hands: GI –> GO. No wonder orgs. are embarrassingly breached again and again through low hanging fruits – look at Zoom’s debacle.
    Cyber Security is a serious business: Soft Skills, Basic Skills, cliche, and Hope won’t cut it.

  • Francis says:

    Am thinking of switching from SOC to Governance Risk and Compliance roles. I will appreciated your advise and recommendations.

  • >