Network Security

Cyber skills gap shrinks, but lack of talent remains major risk factor

Government officials and job seekers meander a DHS Cyber and Tech Job Fair in 2016. (Ryan Henderson/DHS)

This year, the global cybersecurity workforce gap saw its first-ever year-over-year reduction, shrinking from 4 million to 3.1 million, according to the International Information System Security Certification Consortium, or (ISC)².

The gap narrowed within the U.S. as well, from roughly 498,000 open jobs to just 359,236, with 879,157 cyber professionals actively employed, according to the (ISC)² annual Cybersecurity Workforce Study.

Nevertheless, the gap is still large enough to pose a significant threat to organizations. Indeed, the (ISC)² reported that 56 percent of 3,790 surveyed cybersecurity workers around the globe said cyber staff shortages were putting their organizations at risk, even with the total number of incidents staying at baseline levels. (The survey took place in April, May and June 2020.)

On the other hand, CyberSeek, an initiative that provides freely available data used to measure cyber job market supply and demand, reported this week that the U.S. skills gap is actually widening slightly, from roughly 508,000 unfilled positions and 922,720 employed professionals between June 2019 and May 2020 to 521,617 available jobs and 941,904 employed cyber pros between October 2019 and September 2020.

A joint initiative of NIST’s National Initiative for Cybersecurity Education (NICE), Burning Glass Technologies, and CompTIA, CyberSeek bases its figures directly upon the total number of online job listings for cybersecurity-related positions. The (ISC)², however, measures the cyber skills gap differently, defining the gap not as an estimate of open positions available to job applicants, but as “the difference between the number of skilled professionals that organizations need to protect their critical assets and the actual capacity available to take on this work.”

Despite using different methodologies, CyberSeek is in agreement with the (ISC)² conclusions that the skills gap places organizations' security in jeopardy. In a press release, CyberSeek said the lack of available cyber professionals “is approaching a danger level, putting digital privacy and infrastructure at greater risk.”

Of the (ISC)² survey respondents, 12 percent said a lack of cyber manpower left them extremely at risk, while 44 percent they were moderately at risk. Also, 22 percent said their organization suffered from a significant shortage of infosec help, while 42 percent said they were experiencing a slight shortage.

The report from (ISC)² said that the skills gap has decreased in 2020 because companies' investment in hiring cyber professionals has been “soft” due to “reduced average headcount demand in most company segments, excluding the largest employees.” demand globally down 5% from 2019.

“There is a sharp downshift in the estimated number of U.S. businesses that are investing in cybersecurity professionals, especially small and medium businesses. While slightly more large enterprises are investing in cybersecurity professionals compared to 2019, their actual 2020 hiring investment levels are lower,” the report stated, noting that headcount demand is globally down five percent from last year – perhaps in part due to Covid-19's impact on businesses and staffing budgets.

As a second factor, the estimated supply of available talent increased year-over-year by 25 percent, reaching a total of to 3.5 million individuals currently working in the field. The (ISC)² credits this uptick, which represents the addition of 700,000 more professionals, to “a strong base of industry migration,” plus organizations “increasing supply by investing in their current base of professionals.”

"Data suggests that employment in the field now needs to grow by approximately 41 percent in the U.S. and 89 precent worldwide in order to fill the talent gap, which remains a top concern of professionals," the report concluded.

Clar Rosso, CEO, (ISC)2.

"It’s encouraging to see such a large increase in the supply of cybersecurity professionals over the past year," said Clar Rosso, CEO of (ISC)2, in response to an inquiry from SC Media. "That tells us we’re doing something right as an industry to attract new talent to the field, or in some cases, convert staff from other departments in organizations and upskill them to cybersecurity positions. It’s had an impact on shrinking the gap.

"However, our respondents also told us they were concerned about the outlook for security personnel budgets as organizations implemented spending freezes earlier in the year" Rosso continued. "So, the pandemic has contributed to the decrease in demand, but next year might bring different results as businesses begin to reprioritize their cybersecurity needs."

According to CyberSeek, on a state-by-state basis the cybersecurity workforce supply/demand ratio was best in Washington DC (1.1), Colorado (1.3) and California (1.5), while worst was in the state of Maine (5.4). The national average was 1.8 for the time period studied.

One cyber position that's particularly in demand is the information security analyst. CyberSeek observed 166,000 job openings for that time, with only 125,570 infosec analysts roles actively filled.

CyberSeek reports that, on average, cybersecurity roles take 21 percent longer to fill compared to other IT jobs. The CyberSeek initiative looks to help cyber practitioners find their way to theses jobs through it's freely available available data and tools, which includes a newly enhanced, interactive career pathway that shows the various roles and jobs professionals can apply for in order to keep advancing in the industry and eventually reach their salary and job title goals.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.