The latest (ISC)² Cybersecurity Workforce Study assesses the size of the current cybersecurity workforce as well as the existing talent shortage. For the third year running, the study provides two critical measures of the cybersecurity profession—the Cybersecurity Workforce Estimate and the Cybersecurity Workforce Gap.
"First, it is exciting to see tremendous growth in the field to bolster defenses against new threats. More than 700,000 cybersecurity professionals joined the workforce despite the uncertain economic conditions created by the ongoing COVID-19 pandemic. Second, while we saw the talent gap rising in most regions, conditions in APAC contributed to an overall decline in the Cybersecurity Workforce Gap for the second year in a row. This underscores that the need for more cybersecurity professionals continues to outpace the growing pool of available talent, putting pressure and increased urgency on organizations around the world to find solutions."
Cyber vendors weighed in on this latest report and how they see the talent shortage evolving.
John Morgan, CEO at Confluera:
"The pandemic has fundamentally changed where organizations maintain their business critical data and how/where employees access them. Despite some organizations starting to return to partial in-office operations, the concept is no longer seen as a required norm but rather part of a flexible work model. This has profound implications for cyber security professionals. To support anywhere, anytime, any device access, organizations had to rapidly adopt cloud services at a pace that did not allow for a well planned cloud security strategy. The security analysts often had to make do with solutions already in place, despite them being designed for a more traditional environment. Cyber security professionals have to first catch up the security strategy and solutions to better align and secure cloud environments and endpoints; but catch up isn’t enough, they must provide a path to business growth.
Education and automation are key to increasing the productivity of the existing workforce. Invest in those you have while incentivizing others to move into security. Despite the positive outlook, the skills shortage in the cybersecurity industry is not a challenge we can expect to solve in the near future. The adage, work smarter not harder applies to this challenge. Organizations have to deploy solutions that maximize the resources they have - better directing their security analyst resources to investigate issues that ‘matter’ while automating preventative security into a DevSecOps culture. Alert-fatigue from traditional security solutions must be avoided."
Heather Paunet, Senior Vice President at Untangle:
"The past two years have shifted the emphasis on enabling and securing remote and hybrid workers. Cybersecurity professionals have been tasked with making everything as accessible and secure as possible, no matter whether employees are working at home, in the office or switching between the two.
Another impact, per Untangle’s SMB IT Security Survey, is that since IT administrators transitioned the workforce remotely, the IT infrastructure deployed in the cloud has increased. Of those SMBs surveyed, 58% report having 10% or more of their IT infrastructure in the cloud. This has likely been because IT activities and staff were remote, and accessing a server room remotely was not a possibility, and companies found accessing cloud infrastructure remotely was a similar experience.
Moving forward, it will be important that companies provide a path to get training and certifications, and put an emphasis on traits such as adaptability and willingness to learn so that people in IT can get the skills that they need.
In addition, it’s helpful to choose solutions that are designed with easy to use UI’s that abstract a lot of the complexity from what the IT administrator needs to do or understand. Choose UI based tools rather than command line tools. For example, being able to set up VPN networks with a few clicks from a cloud based management tool is a lot easier than having to go to each site on the network and configure it individually to talk to other sites. Tools that abstract the complexity and are designed to analyze and automate configuration will help less skilled personnel be effective."
John Bambenek, Principal Threat Hunter at Netenrich:
"Many mid-career professionals are struggling with burn-out. When professionals are in constant fire-fighting mode but don’t have the mental break of actually leaving work, the stress effects seem to linger into our personal lives. Much like first responders, cybersecurity professionals needs to manage the unique stresses that can come with this work and make sure they can fully disconnect from work when not on work-time which was far easier to do when we had to go to an office and leave.
Ultimately organizations either have to hire more people, rely on vendors for services, or invest in automation (likely some form of all three). The work needs doing regardless of headcount, so if automation can handle the easy problems than you can focus the limited number of humans on those problems that require a person to resolve."
John Hellickson, Cyber Executive Advisor at Coalfire:
"The ability to work from anywhere, not only for their own career options, but also for their need to enable organizations to have a 'secure' mobile workforce, has been one of the most lasting impacts of the pandemic on cyber security professionals. As companies continue to recruit the best talent from across the world, this should also enable cybersecurity professionals to live in areas where they could pursue their passions and hobbies that they wouldn't have been able to otherwise, which then will hopefully reduce the burnout factor that we're also seeing in the industry. The downside to being able to recruit from anywhere is that it's now hard to keep top talent, as cybersecurity professionals now have more job opportunities and can get large salary increases when job hopping.
So, what can organizations do to compensate for the lack of skilled personnel? Look at talent within, such as your Network Operations Center (NOC) for talent that you could train up into your Security Operations Center (SOC), your Network Architects who may want to specialize in a more lucrative cybersecurity career, or even business process experts who can help you improve your processes to get more done with the limited resources you have. Also, be ready and open for your team members to move on to increased roles at other organizations as they continue to hone their skills, as these moves should be celebrated even though there are challenges to backfill. Become good at recognizing fatigue & burnout so you can retain the talent you do have who may be more on the front lines of the threats your company faces. Lastly, look at joining non-profits that focus on growing the next generation of cybersecurity talent, such as the Security Advisor Alliance that I and many other CISOs contribute to, and offer your advice and coaching to organizations who may not be able to hire dedicated security professionals."