Security Awareness Training

Addressing the Cybersecurity Skills Gap

The pandemic and the Great Resignation that followed have prompted an exodus of employees from their current roles in search of more desirable jobs. Many employers, in an effort to recruit these professionals, are stepping up to offer them better pay and incentives. These trends in the employment market have forced cybersecurity leaders to rethink their hiring practices.

The cybersecurity job and career industry already suffers from a long-standing labour shortage. While the occupational growth rate typically averages 8%, the rate for cybersecurity roles is over four times higher at 33%, according to the U.S Bureau of Labor Statistics data. The agency also projects that there will be more than 47,000 cybersecurity roles available by 2030.

While the cybersecurity skills gap exists worldwide, the demand varies by geographic location and specific role, with operations, provisioning, and governance positions having the most job openings as of Q1 2022—though there are many other needs spanning protection and defence.

Several factors contributing to the cybersecurity skills shortage

With so many job openings now—and all the discussions about the talent gap over the last decade—one might expect there would be more resources in the pipeline. However, companies have failed to scale resources in line with growing cybersecurity threats and cyber-attacks.

This undervaluation of the cybersecurity career has further failed to incentivize workers to join the industry. And that has led to heavier workloads and burnout for existing workers. Many of these professionals are struggling to succeed in high-stress environments, while others are transferring to different occupations or even exiting the workforce altogether.

Also, there is often an uphill battle for applicants wanting to enter the cybersecurity field, as a mismatch in qualifications and employers’ educational requirements filters out otherwise worthy applicants.

For example, most cybersecurity rolls require the Certified Information Systems Security Professional (CISSP) certification accompanied by a four-year degree. But for hiring managers, a CISSP qualification is about more than a candidate passing a test. According to the Cybersecurity Workforce Study the certification also requires five years’ experience, of which only one can be met by applying educational equivalence. This provides a self-defeating applicant filter to invalidate prospects who have minimal experience in upper-level positions.

More incentives needed to attract and retain cybersecurity talent

Today’s chief information security officers (CISOs) must flip the script and motivate their employees so they can hold onto top talent while simultaneously encouraging newcomers to enter the field. 

ISC2, ISACA, and other organizations have highlighted steps to increase the value of the cybersecurity career. While compensation will continue to be a top draw, the high-pressure environment of the cybersecurity arena requires leaders to conceive of additional incentives to gain and keep skilled workers.

Organizations struggling to attract and retain talent are often the first to admit they have much work to do. In a recent ISSA study, 59% of respondents reported that their organizations could do more to address the cybersecurity skills shortage—with nearly one-third emphasizing their organization could be doing much more.

Building cybersecurity career paths, providing ongoing education, recognizing employee efforts and developing mentoring programs are just the first steps toward creating the workforce we all need. When we address the cybersecurity experience gap, we must make an ongoing investment in talent that extends beyond a hiring bonus, including meshing a better alignment between the business and cybersecurity teams and giving appropriate recognition to the contribution of cybersecurity to overall business success.

Be sure to subscribe to our blog to ensure you never miss a post from our CISO team.