By Niall Heaton
•
September 16, 2019
It appears the cyber security employment crisis has taken a turn for the worse. Companies are making some very basic mistakes during the recruitment process, overworked cybersecurity professionals are struggling to keep up with the daily demands of the job, and employers are struggling to retain them. What’s causing the cyber security employment shortage to reach critical levels? The cybersecurity skills gap is putting businesses at a lot of risk, as one might image. Worse still, there are no signs of abatement. But how did it come to this? Well, we’re go discuss some of the main reasons in just a moment although there is still hope that employers may be able to do something to mitigate this growing problem. Let’s first set our focus on the employment shortage. A Cyberseek report revealed that approximately 1.1 million people in the US are currently employed in cybersecurity, even though more than 700,000 positions haven’t been filled as yet. A Cybersecurity Ventures report suggests that the global cyber workforce shortfall is currently at, on average, 3.5 million people. Research done by the ISSA (Information Systems Security Association) suggests that 95% of cyber professionals believe the skills gap hasn’t improved in the last few years while 44% believe that it has gotten much worse. And, unfortunately, broadcasting this skills gap has not done much to help bridge the employment shortage. Why has this shortage reached a critical level and what are some of the underlying causes? The current cybersecurity talent pool does not have enough diversity The ISC did a recent workforce survey in which they reported that just 25% of the global cybersecurity workforce is female; another survey done in the US reported that even though 19% of the US population is Hispanic, only 4% of the cyber workforce comprises Hispanic professionals. Black Americans and Native Americans are also notably underrepresented in the cyber security sector. Employers are not keeping pace with their skills Employers in the cybersecurity sector must face new challenges with time moving forward – some of these include combating evolving threats against their data and systems, and increasing resilience on cloud security. Unfortunately, most employers are either so busy or so overworked that they do not have the time to undergo new training or pick up new skills in order to keep up with the ever-changing cybersecurity landscape – particularly the different threat mechanisms which are getting more and more sophisticated. While pursuing certifications, attending trainings and learning new technical skills are needed, picking up essential soft skills such as communication are especially important – but all continue to be overlooked. Employers have set unrealistic expectations Cybersecurity job requirements revolve around not just college degrees from reputable universities but also multiple certifications, along with many years of experience across multiple security disciplines. Many candidates who would potentially be a ‘perfect match’ for an organisation do not bother applying for cybersecurity jobs because they believe their talents, skills and experiences may not be fully utilised or that they may be underpaid. And, the ones that do apply are not contacted by the prospective employer because either they don’t have the right degree (or none at all), or they lack the right level of hands-on experience. Cybersecurity specialists are parting with the profession A recent Trellix report said that more than one-third of cybersecurity professionals are planning to switch careers. There’s also a major employee retention issue mostly due to the incredible pressure involved in performing a cybersecurity job role effectively and ongoing staffing shortages. In another report published by ISACA , the top reasons for cybersecurity personnel for leaving their jobs was limited promotion and development opportunities, very high levels of stress, lack of management support, and poor financial incentives. Cybersecurity positions are growing faster than companies can hire The demand of cybersecurity and IT job roles are growing a lot fasters than companies can keep up with. Massive staffing shortages are plaguing the industry, which are made worse due to the rapidly changing qualifications and requirements set out by businesses, especially those who have a more pressing need for ultra-secure systems and processes. As mentioned at the start of the article, there are 769,736 job openings , to be precise, in the cybersecurity sector, and yet companies are having a hard time finding the right candidate for the job. Rise in remote working The ISSA conducted a global study along with industry analyst ESG, warning that a lack of investment, combined with the challenges of huge workloads, has led to a skills shortage which in turn, has led to unfilled job positions and high burnout among information security professionals. The study involved 500 cybersecurity professionals, where 57% said that a shortage of cybersecurity skills impacted their organisation, while 10% said it significantly impacted their organisation. This has resulted in an increased workload for information security personnel – that’s what 62% of the participants claimed; 38% of the 62% said they experienced burnout due to increasing work pressures during what was a difficult year. The sudden rise of remote working has translated to more stress for cybersecurity staff because it has made certain aspects of managing enterprise network security more challenging and generally more complex – many cybersecurity personnel have never worked from home before and seem to be having trouble adjusting to the new ‘normal’. Naturally, more remote working means cloud applications will be used a lot more too – more cybersecurity professionals are now needed to manage cloud computing security. Many organisations are struggling to find the right personnel to fill these gaps. Conclusion: How can these staff shortages be fixed? In addition to directly addressing some of the issues above, there are three key ways businesses can reduce the cybersecurity labour shortage: 1. Invite overseas applicants to meet the demand The national average salary for cybersecurity professionals begins with six figures in most countries, so understandably, it’s a lucrative industry to be in. Employers should turn the bright minds of young cybersecurity professionals into their team members – encouraging them to work against hackers and not with them. One of the ways of doing this is to encourage more overseas applicants by offering them generous incentives and giving them the right level of training early on. This brings us to a very critical point. 2. Additional training to help employees acquire the right skills and certifications Businesses ought to research into the latest, most sought-after certifications, according to their respective sector, business type and place/region of business. Giving employees access to the right certifications and upskilling programmes will help businesses create the ideal talent pool and better retain them too. 3. Work with academic institutions to recruit more young professionals at an early stage Internships, student hires and mentorship programmes are just some of the ways the industry can be fed with eager new talent that’s ready to learn and meet challenging tasks head on. The US Department of Labor actually announced a 120-day apprenticeship programme to provide professionals with better guidance in cyber jobs. Companies in other regions can do something similar to attract more talent and effectively retain it.