This year has seen profound disruption and challenges for cybersecurity professionals and their organizations. Considerable geopolitical strife has resulted in nation-state cyber-attacks spilling into the private sector, intensifying expectations for cybersecurity professionals to keep users, data, systems, and physical assets safe and secure. At the same time, teams continue to struggle with ongoing operational cybersecurity challenges from a remote and distributed workforce, supply chain issues, a rise in repeat inbound attacks such as phishing and ransomware, as well as dealing with a shortage of qualified people to get the job done.
Every year, (ISC)² conducts its Cybersecurity Workforce Study, which measures critical trends and impacts for cybersecurity practitioners and the cybersecurity profession at large. The findings this year are of particular significance given the current state of global affairs, the great resignation, and ways of working in the first full year post-pandemic. They offer a barometer for the profession with a particular focus on areas of concern, preparedness to address risk, job satisfaction, workplace expectations and and outlook.
At the forefront are the updated measures of the active cybersecurity workforce and the unfilled workforce demand, or gap. These are the two most visible figures that we gather every year, but alone, they only tell one small part of a much larger cybersecurity story.
We estimate the size of the current global cybersecurity workforce to be 4.7 million people — the highest we’ve ever recorded and an increase of 464,000 people year-on-year. And while the workforce grew more than 11%, unfilled demand has grown more than 26% to 3.4 million people. Many businesses are left unprotected as they are not seeking cyber professionals at all or are under-prioritizing hiring efforts. In fact, 98.5% of small businesses have no cybersecurity professionals at all.
Looking more specifically at North America, we see a combined workforce of just over 1.34 million (6% up year-on-year), but working against a gap of over 436,000, up 8.5% year-on-year. With increased threats, increased digitalization of everything we do, and greater distribution of users, systems and data, demand for cybersecurity skills and the need to secure and monitor a far greater footprint is once again spiking, despite increased global recessionary concerns.
Although, the gap really isn’t the headline. What matters—and what global leaders must focus on—are the real-world consequences of operating without a fully-resourced cybersecurity team.
The study confirmed that despite 70% of respondents feeling overworked, nearly three-quarters of organizations with a significant cybersecurity skills shortage face a moderate to extreme risk of experiencing a cyberattack as a result. Specific risks, which have materially grown in the past year, include: Nearly half (48%) don’t have enough time for proper risk assessment and management. Some 43% have experienced oversights in process and procedure, while 39% have let prompt system patching slide due to being shorthanded. On top of this, 35% have deployed misconfigured systems while a third (32%) also lack the resources to train staff, further perpetuating the skills challenge.
It’s not all bad news. In spite of the challenges, 75% of respondents report strong job satisfaction and the same percentage feel passionate about cybersecurity work. Alongside this, 72% expect their cybersecurity staff levels to increase within the next 12 months — the highest predicted growth rate in the last two years (53% in 2021 and 41% in 2020). We need to both celebrate these findings and use them to tackle the gap.
Now’s the time for action to bring more people into the profession—which as an industry, we have not made enough progress doing. Breaking the cycle of understaffing needs a concerted effort to remove the roadblocks that prevent people from pursuing a cybersecurity career. Here are some strategies:
- Break the experience loop: Without experience, people are hard-pressed to find jobs in cybersecurity. Our research shows that we can fill many critical gaps with entry and junior-level staff. Industry efforts such as our own (ISC)² Certified in Cybersecurity certification and One Million Certified in Cybersecurity initiative are driving change. They create an on-ramp for entry- and junior-level professionals that employers can use as a benchmark of competence instead of setting unrealistic experience requirements. Additionally, by committing to put a million people through the education and exam for free – we are building a pipeline of qualified candidates through this unprecedented effort to inject fresh energy and new ideas into the talent pool. But certifications are just part of the effort to clear the road.
- Inclusion matters: It’s just as important to break down diversity and inclusion barriers, especially since diversity, equity and inclusion (DEI) programs play a significant role in staffing shortages. Those with DEI initiatives at their organizations faced fewer staffing shortages within cybersecurity teams. Organizations that haven’t or don’t plan to implement DEI programs had greater workforce gaps. The people who work in cybersecurity must be more representative of society and more accessible to people from all backgrounds, cultures and circumstances. Additionally, individuals in organizations where their voices are heard are happier in their jobs. Unfortunately, it’s not common practice, as only 28% report their organization listens to and values the feedback and opinions of all employees.
- Retain and invest: We can shrink the workforce gap by retaining and investing in existing talent. Proactive investments in people are critical, we can’t leave it all to the individual to self-advance. Two-thirds of the people surveyed cited the need for new certifications to develop their skills and keep pace with technology and threats. And while it’s good to hear one-fifth of practitioners say their organization would increase their security budget as a result of a breach — organizations need to pivot away from the reactive and invest in technology and resources far more proactively to protect our information and systems.
Investing in and developing people, creating inclusive cultures, along with proactively investing in the tools professionals need to succeed are all essential to narrowing the cybersecurity skills gap for the long term, and creating a safe and secure cyber world.
Clar Rosso, chief executive officer, (ISC)²
