Security Staff Acquisition & Development, Leadership

2023 workforce predictions: Lack of talent will haunt firms as leadership comes under scrutiny

Job seeker
A job seeker holds a briefcase as he waits in line to meet with recruiters. (Photo by Justin Sullivan/Getty Images)

It’s hard out there for a cybersecurity recruiter – at least that’s what many of the predictions submitted this year by IT professionals are saying.

The profession has had a difficult time filling the estimated 3.1 million open positions worldwide, and companies will have to offer more than financial incentives to hold on to current staffs, say the prognosticators.

Click here to download the full 2022 Cybersecurity Year in Review Report from SC Media.

On the flip side, CISO and CIO performance will be under the microscope, as cybersecurity becomes more important to the success of the enterprise, especially amid fears of an economic downturn affect the industry.

And regulations, specifically reporting requirements, is also top of mind.

Cyber talent gaps

Hiring and retaining strong cyber talent will be one of the top challenges for the public sector, says Sachin Bansal, Chief Business Officer of SecurityScorecard:

The cybersecurity skills gap that has plagued the security community for the last several years won’t be closing any time soon. Research reveals that 80% of organizations suffered from at least one data breach in the past 12 months due to a lack of cybersecurity talent or awareness. The public sector is especially at risk, with more than 700,000 unfilled cybersecurity positions as of July 2022.  

In 2023, the inability to hire and retain appropriate talent to defend against a high volume of attacks will leave the public sector highly vulnerable. To fill the widening cyber skills gap, the public sector must improve compensation packages to prevent losing talent to well-paid roles within the private sector, as well as expand diversity within their workforce. 

Governments will use tech to help them address staffing shortages in 2023, says Cathy Grossi, vice president, product management at Accela:

Smart agencies will turn to data sharing to become more efficient with the resources they have. Governments can implement automation for end-to-end processes that cross multiple departments or agencies, as well as use digital technologies, such as chatbots, machine learning, smart algorithms, and natural language processing to develop processes that free up staff for other tasks. 

The cybersecurity workforce gap will reach a breaking point, and we’ll see a nationally significant attack directly attributable to an under-resourced security team, says Marcin Kleczynski, CEO of Malwarebytes:

The cybersecurity workforce shortage is no secret. This year, the employment gap in the U.S. jumped 40% to 700,000, and research says global openings will reach 3.5 million in 2025. So far that conversation has been theoretical – if anything, positioned as an opportunity for young professionals seeking a career in cybersecurity, which it is. But unfortunately, 2023 is the year we’ll see this all come to a head. I expect we’ll see a nationally significant attack in the U.S. that can be directly tied to a shortage of cybersecurity talent – either due to a mistake made by an overburdened employee, or an attack that overwhelms an understaffed team.

As an industry, we need to preemptively address these risks, both by immediately hiring and onboarding new cyber talent to plug the labor gap, as well as by introducing new tools and resources to help simplify operations for thinly stretched teams.

The Cyber Workforce Quest, says Joseph Carson, chief security scientist and advisory CISO at Delinea:

Each year the cyber talent gap is increasing. As an industry we must accelerate how to get more new talent and diversity to join the cybersecurity workforce.

2023 will continue to see the workforce gap increase and the urgency to explore new ways to attract more people to choose cybersecurity as the career choice. The old ways of accelerating new talent into the cyber industry must evolve.

And it is no longer just about having core technical skills but rather a diverse set of skills that also include communication, marketing, design, and psychology. Cybersecurity is now a challenge for all societies and, as Mikko Hypponen quoted, “we are no longer just protecting systems, but we are now protecting society.

Wicked skill shortage of security, says A.N. Ananth, the chief strategy officer at Netsurion and co-creator of Netsurion's open XDR platform:

This trend has been true for some years now and shows no signs of slowing. As Blue Teams expand their recruiting globally, so also the shortage of experienced security staff follows this trend. From a buyer’s perspective, one way of adding such skills to your team is to selectively and carefully add services from external providers. For suppliers of such services, more automation and more training of junior staff is a must.

The hype around the cybersecurity skills gap gets amplified, says Jonathan Rau, CISO at Lightspin:

The truth is that a lot of the skills gap is self-inflicted and has been for some time. The traditional cadre of hiring managers  require too many certifications or too much work experience than necessary for the job. Next year, with most hiring budgets being slashed and many teams only being able to hire for one position, we’ll see even more demands placed on new roles.

Companies will prioritize cybersecurity retention to help reduce turnover, says Jadee Hanson, CIO and CISO at Code42:

There are currently millions of unfilled cybersecurity positions around the world, putting the advantage in the hands of job seekers looking for a change of pace. For employers, however, the cost of replacing cybersecurity practitioners is extremely high. In order to do their jobs effectively, these employees need to fully understand an organization’s tech landscape which takes a great deal of time.

In 2023, companies will place a large emphasis on retaining their existing cybersecurity employees — and they’ll need to offer more than monetary compensation to do so. Companies that prioritize offering intellectually stimulating projects and assignments that enable cyber employees to flex their creative problem-solving muscles will fare the best. Additionally, companies that look beyond the “conventionally” qualified applicants to assess a candidate’s soft skills, like curiosity and willingness to learn, will find some of the best untapped talent available.

Instead of guidance and fear, help security teams execute, says Ronnie Fabela, CTO & co-founder at SynSaber:

From the practitioner side of ICS cybersecurity, 2023 will continue to see an overwhelming message of guidance, regulation, media, and FUD about topics such as ransomware, threat actors, and nation-states. My prediction for 2023 is that while this will continue, the industry’s response will be loud and focused: Enough guidance and FUD. Help us execute. Our industrial operators and asset owners know their systems better than anyone, and now they are on board with cyber. Empowering our operating community is the only true way to move the needle, and the shift from “We know better” to “You know better” will be tough for a cyber security industry that is used to being the hero. The faster all of us can change this mindset; the more successful 2023 will be for defending critical infrastructure.

Scrutiny for cybersecurity leaders

CISO liability will become another issue in hiring top security leadership, says Drew Simonis, CISO at Juniper Networks:

There’s an increasing amount of pressure and responsibility on CISOs in this aggressive threat landscape. Because of this, CISO candidates will look to their company to cover them in high-risk situations ranging from breach disclosure to secure software attestations to loss of reputation. As a safety precaution, Executive Risk insurance policies will become more frequently included in hiring contracts.

CISOs will be required to connect cyber risk to the broader business to keep their jobs, says Aleksandr Yampolskiy, CEO and founder of SecurityScorecard:

It’s no secret the economic downturn has meant significant budget cuts for many companies. As cyber threats escalate, cybersecurity investments are either staying put or increasing in 2023 — that is, only if security teams can rightly prove the value of their cybersecurity programs to senior leadership and the board. However, the majority of CISOs are struggling to effectively express the business impact of cyber risks to their board. In 2023, this ability will go from a nice-to-have to a must-have, and we will see an influx of CISOs losing their jobs if they can’t adapt. 

With the economy remaining uncertain next year, CISOs will feel increased stress from their board and senior management to justify the spend on their cyber tech stack. To ensure their security program is well-financed, CISOs will need to set specific management-level cyber metrics that can help them properly articulate whether the cybersecurity products and tools they have purchased provide a sound return on investment. 

Business implications for security risks will have CISOs stand center stage, says Sounil Yu, head of research at JupiterOne:

This year, companies (like Twitter) have seen the effects that whistleblowing can have when an organization ignores its employees flagging activity that they consider unsafe, fraudulent, or illegal, for example. Recent rulings revealed when a leader is alleged to have ignored security issues; it can set the stage for the entire organization to be held accountable for their discretions. This opens up the possibility of implications for CISOs who may be present at board meetings or board members.  Prediction 1: The role of the CISO will be truly elevated, whether on the board and/or in the management team (reporting to the CEO); and Prediction 2: If the case against Joe Sullivan doesn’t go in his favor, there will many CISOs who quit their roles unless their roles are elevated.

Being a cyber leader is only getting harder, says Andrew Rubin, CEO at Illumio:

Security is a challenging and at times thankless task. The Uber breach verdict re-instigated a national conversation about the responsibility cyber leaders wield and how companies should be held accountable in the age of imminent digital risk. 2023 will be a challenging year for CISOs around the world, who have more work, more pressure, and less help. It will be critical for CEOs to not only ensure their cyber teams are supported, but to also get on board with an “assume breach” mindset. Having the right tools and strategies in place to contain inevitable attacks will be critical for protecting not only an organization’s assets, but also its people in the age of ransomware.  

The rise of the "chief zero trust officer," says John Engates, field CTO at Cloudflare:

2023 will see the introduction of a new role in large organizations akin to a “chief zero trust officer.” Like other digital transformation efforts, the journey to zero trust requires coordination and cooperation across the enterprise, which can be a real challenge. A zero trust “czar” empowered with a clear mandate and a singular focus may just be the key to getting zero trust across the finish line in 2023.

Tech to the workforce rescue?

Organizations will start to see data intelligence platforms as crucial platforms for retaining institutional knowledge, says John Wills, chief technology officer at Alation:

Over the past few years, many organizations have experienced a higher rate of turnover as employees took advantage of the work-from-home world to seek out new opportunities. Dubbed “The Great Resignation,” this higher rate of turnover put added strain on already tapped businesses as they lost talented employees and the crucial institutional knowledge that often went with them. For organizations that didn’t have strong data retention systems in place, the information lost with employees can be hard if not impossible to replace. As businesses look to avoid such losses in the future, more will turn to data intelligence platforms that can store, organize and surface key knowledge to mitigate the impact an employee loss can have on a business. 

CISO budget constraints will drive consolidation of security tools into platforms, says Ravi Ithal, CTO and cofounder of Normalyze:

Due to more macro economic trends, all organizations are tightening their budgets and pursestrings, including the CISO. They will be looking for tools that serve multiple functions for data classification, access governance, risk detection, remediation, alerting, and more. This will also extend to hiring and the talent required for a lean security team. You no longer have the budget to hire 10 people to deploy and manage security tools on an ongoing basis.

Struggle to Bridge the Talent Gap, says Tom Gorup, vice president of security operations at Fortra’s Alert Logic:

Demand for security will skyrocket in 2023 driven by economic downturn, consumer demands and new compliance requirements. Meanwhile the talent pool for addressing that demand will remain depleted. This mismatch of security demands and a lack of quality talent supply will drive businesses to seek out 3rd parties to solve their problem. As a result, we will experience choice overload in the MDR, MSPs and MSSPs spaces. All seeking to fill the gaps for companies that don’t have the resources or in-house expertise to manage their own security challenges.

Shadow IT goes from a negative to a positive, says Lior Yaari, cofounder and CEO at Grip Security:

Shadow IT has long had a negative connotation and means hardware, software, or services acquired outside of the ownership or control of IT. For SaaS specifically, the term “unsanctioned apps,” is sometimes used to describe SaaS used without IT approval. However, times have changed and the taboo of using technology that is useful—but not officially approved, has largely diminished. This and the industry rebranding of shadow IT to business-led IT will result in people focusing on the positives of empowering employees to use the best technology they need to do their jobs: productivity, job satisfaction, reduced time to market and faster reactions to changing market conditions. 

Training, training, training

The recession will cause a reduction in spending on training programs, says Jon France, chief information security officer at (ISC)²:

Despite the idea that cybersecurity may be a recession-proof industry, it's likely that personnel and quality will take a hit during the economic downturn. We're not seeing core budgets for cybersecurity being cut as of now, but the more 'discretionary' areas, such as training budgets, are likely to see scalebacks. This goes for both security awareness training at companies of all sizes and training cybersecurity professionals on how to adequately protect their critical assets. The industry is already facing a skills shortage, and unfortunately, we're likely to see that skills shortage worsen as the recession takes hold in 2023 due to the increased demand for skilled cybersecurity workers.

An increase in OT cybersecurity budgets will start to go into effect, leaving organizations with the task of deciding how best to spend it, says Duane Nicol Sr., product manager of awareness training at Mimecast:

The past two years have shown why OT cybersecurity is a necessity. In the next couple of years, I predict we will start to see companies increase their budgets accordingly as attacks continue and new best practices are developed. One area that is likely to see an influx of investment is cyber training and programs specifically for those running OT systems. Teaching operators and floor technicians how to monitor for breaches can close the gap between traditional risk management and cybersecurity. These programs will most likely be run in lab-type settings by third-party administrators with backgrounds in both information technology (IT) and OT environments.

Beware the human element, says Patrick Harr, chief executive officer at SlashNext:

Organizations that fail to address the human element of security will suffer because security training is not effective enough to protect users from all the types of unrecognizable attacks. 

My advice is to protect the human side of your security posture because the most unprotected part of your IT stack involves your employees and partners, including third-party contractors. Security training is focused on the people side of the business, but these attacks are now so sophisticated that it’s not realistic to expect users to detect malicious intent with training alone. Training is necessary but it should not be the only line of defense. That’s why we need to augment user security training by putting stronger AI controls in place. Just remember that your people are your most attacked vector and the most unprotected aspect of your security posture. You simply cannot train these kinds of attacks out of users. 

Organizations will reassess and expand end-user awareness training, says Eric Hart, manager of subscription services at LogRythm:

Coming to the end of a year in which so many organizations fell victim to social engineering attacks, more organizations will look to invest in training their end users to better detect threats. The past year has seen some big names – the likes of Microsoft, Cisco and Uber – suffer breaches by way of multi-factor authentication (MFA) fatigue, phishing and other social engineering tactics.  

With threat groups like Lapsus$ introducing bribery tactics to lure credentials from internal users, many of today’s attacks have evolved beyond the basic phishing techniques that end users are trained to recognize. Organizations will look to reassess their training programs to ensure that users are familiar with the bribery and extortion tactics associated with the latest social engineering schemes. Threat actors are constantly searching for new inroads into networks. Organizations concerned with their security postures will be sure to educate their users on emerging threats. 

Cybersecurity talent gap is a training problem, not a people problem, says Dave Gerry, CEO of Bugcrowd:

Attracting strong candidates has always been a core part of any business, and, like all businesses, finding senior talent, whether in cybersecurity or another function, requires a combination of attractive compensation, career growth, flexibility to work anywhere, and a mission that employees want to support. 

It’s also important to find talent from non-traditional and diverse backgrounds, provide them with the necessary training and enablement, pay them well with additional equity incentives, and empower them to do what needs to be done. For years, we’ve been led to believe there is a significant gap between the number of open jobs and qualified candidates to fill those jobs. While this is partially true, it doesn’t provide a true view into the current state of the market. 

Employers need to take a more active approach to recruiting from non-traditional backgrounds, which, in turn, significantly expands the candidate pool from just those with formal degrees to individuals, who, with the right training, have incredibly high potential.

Security will become a more diverse discipline, says Jacob DePriest, vice president and deputy CISO at GitHub:

There’s no question that cyberattacks will continue to rise in 2023. To keep up with the speed of threats, we’ll continue to see a shift in security culture and hiring within organizations. Security teams will need to work even more closely with engineering and product teams to react quickly to new threats. This will mean security teams will develop more of their own solutions, versus solely relying on purchasing a toolbox of cybersecurity tools and services off the shelf. In addition, threats are becoming more varied and complex so we’ll see more diverse workforce hiring within security teams - background, education, and technical capabilities - to combat the threats. This will ultimately lead to a stronger security culture, closer integration with engineering, and faster innovation to combat attacks from malicious actors. 

Remote and hybrid work models

At a time when companies are looking to save money, the "anywhere work" model will continue to deliver benefits for leaders who embrace it, says Dean Hager, CEO of Jamf:

Just because people are coming back to the office, doesn't mean they want to. For people who have worked effectively from home for two years, the argument that they should come back to the office regularly isn’t credible. Organizations that empower remote employees and communicate effectively will continue to see benefits in productivity, meeting efficiency, talent acquisition and retention, and reduced spend on facilities. However, to achieve these benefits, leaders must do more than “allow” anywhere work. They need to lean into it and create remote-friendly environments. Doing so will create greater benefits than simply the business continuity we needed during the pandemic. 

Companies will roll back return-to-work plans to conserve cash amid the economic downturn, says Drew Perry, vice president of information security and CISO at Serta Simmons Bedding:

Driven by continued economic instability, there will be an acceleration of organizations going back to remote work on a larger scale as a way to save money on big, expensive office spaces. As workforces become increasingly distributed, CISOs will once again have to prioritize the support of secure collaboration and communication technologies required by this shift. In 2023, zero-trust networks, data loss prevention, information privacy and cross-border data transfers will all become increasingly critical for a workforce that can work from anywhere.

The human element of remote work will be most challenging, says George Gerchow, CSO and SVP of IT at Sumo Logic:

Organizations got a crash course in hybrid and remote work at the start of the pandemic. While many of the related security and technology issues have been ironed out, some of the remaining challenges aren’t about technology. One concern is employee mental health and another is creating the right processes and procedures to access the infrastructure. Additionally, the threat landscape is beyond the enterprise perimeter, making it difficult to identify employees and detect behaviors. Employees are going to continue to use devices for both personal and professional purposes, increasing risk but also improving productivity.

Employees’ homes will become extensions of company offices, says Joseph Carson, chief security scientist and advisory CISO at Delinea:

Just as cloud transformation dominated the pandemic period, we have now started the "Bring Your Own Office" transformation, where employees’ home networks have become cloud droplets or mini clouds.

The big challenge for organizations today is knowing where the organization’s security start and stop, and should they be attempting to secure employee homes as an extension of the corporate office.

And what would that mean for the employees’ data privacy? Do well all become always-on employees where we are no longer an employee nine to five? In the past your personal life and corporate life had a clear separation. With Bring Your Own Device that dynamic changed, and now with Bring Your Own Office it will continue to evolve even further. The boundaries will become even blurrier. 

Dealing with regs

The growing regulatory scrutiny at the board level will further shift the CISO’s role and increase the board’s expectations and requirements, says Lucia Milica, resident CISO at Proofpoint:

The proposed U.S. Securities and Exchange Commission reporting requirements for increased transparency will compel companies to improve oversight and increase cybersecurity expertise on the board itself. They will have new requirements and expectations for their CISOs, changing the CISO’s traditional role.

But the recent Uber breach verdict in a U.S. federal court sets a dangerous precedent that encourages boards to shift liability directly to CISOs. Our industry is already struggling to recruit cybersecurity professionals, so this verdict could have a chilling effect on any effort to make headway in the battle for talent.

With only half of CISOs reporting seeing eye-to-eye with their boards, the mounting expectations and the stress of potential personal liability for a cyberattack will only increase the strain in the board-CISO relationship, with huge implications for an organization’s cybersecurity.

Security bandwagon brings demand for licensing, says Drew Simonis, CISO at Juniper Networks:

The security requirement bandwagon is moving fast, and everyone wants to jump aboard. With the enforcement of CMMC (Cybersecurity Maturity Model Certification), CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act of 2022) and the looming SEC disclosure rules in the US, NIS2 (Network and Information Security) in Europe, NIS expansion in the UK and so forth, the signals are clear that cyber is a big deal. Given the talent shortage and all the creative ways companies are bringing new folks into the industry, 2023 may well be the year we see some emerging demand for professional licensing, ala the Engineering industry. 

Transparency in 2023 breaches, says Claude Mandy, chief evangelist for data security at Symmetry Systems:

CISOs will be radically transparent about data breaches as they occur. Organizations have historically only disclosed breaches at a certain level of severity, but in 2023 CISOs will be more upfront about breaches, regardless of size or damage.  

With blunders like the former Uber CISO's conviction on federal charges for covering up a data breach or the Twitter whistleblower testimony on the company’s broken defenses against hackers, security leaders took note of what NOT to do: hide or misrepresent a breach, which can lead to facing felony charges. 

A radical shift will occur where all organizations will be open and transparent in the face of a breach, resulting in about a 20% decrease in the lag time between disclosure of a breach and preliminary analysis of the impact to customers. 

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.