Why the Cybersecurity Skills Gap Continues to Widen

With employees preparing for long-term remote work that is likely to stretch into 2021 (and possibly beyond), cyber-threats are a growing concern. That means cybersecurity is increasingly valuable to businesses looking to stay afloat during uncertain times.

And yet the cybersecurity skills gap remains, with important positions unfilled.

The reasons for this skills gap, along with all those open positions, are numerous, but a recent survey conducted by Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) finds that many cybersecurity workers feel constrained by a lack of career development and training offered to them

At the same time, security pros believe that organizations lack strategic planning when it comes to cybersecurity. The result is that enterprises that need highly-skilled and motivated employees to ensure the business is secure are not taking the right steps to nurture the talent needed to make that happen.

“The data uncovered in this research year-over-year also demonstrates that there are multiple issues contributing to the problem of ‘a cybersecurity skills gap,’ including that businesses don’t understand the role of information security, there is no clear and agreed upon career map within our profession, and cybersecurity professionals are under constant stress of attempting to improve collaboration efforts with IT,” Jon Oltsik, senior principal analyst and fellow with ESG, wrote in the report titled The Life and Times of Cybersecurity Professionals 2020.

Cybersecurity Skills by the Numbers

The survey is based on interviews with 327 cybersecurity professionals and ISSA members, with the majority working in North America and others representing Europe, Asia, and parts of Central and South America.

Of those surveyed, seven out of 10 report that their organization has been affected by the worldwide cybersecurity skills shortage. What’s more, around 45 percent believe that skills shortage has gotten worse over the past year, while 48 percent believe it has stayed about the same. Only 7 percent believe there’s been an improvement.

One reason for this muddied view of cybersecurity is that about 68 percent of those surveyed don’t believe they have a well-defined career path. When asked, about 52 percent of participants think that hands-on skills count the most, while 44 percent believe that hands-on experience (combined with certifications) are equally important.

Steve Durbin, managing director of the not-for-profit Information Security Forum, believes that one of the major issues with this skills gap is a disconnect between human resources and the security teams. Simply put, HR doesn’t quite realize which cybersecurity skills are important, and the demands that protecting the enterprise from threats (both internal and external) have on cybersecurity professionals.

“This hinders the organization’s ability to identify relevant talent and provide adequate support for the professional development of the security workforce,” Durbin told Dice. “To bridge the divide, the information security function needs to adopt a series of well-established HR concepts. Workforce planning, the adoption of competency frameworks, along with a well-structured workforce management program, also known as talent management, are fundamental to the future success of attraction and retention strategies.”

COVID-19 Adds to the Security Headache

The ESG and ISSA study was conducted in late 2019 and early 2020, which means the survey’s results likely missed the effects that COVID-19 is having on the cybersecurity profession. The pandemic has unleashed more stress on security pros trying to ensure workers and data stay safe outside the confines of the traditional corporate IT network.

Even before COVID-19 hit, however, the skills gap was getting wider, and open positions more numerous

A November 2019 report by the International Information System Security Certification Consortium, (ISC)², found that, while there were approximately 2.8 million security professionals working worldwide at the time, another 4 million trained professionals are still needed to close the cybersecurity skills gap. That’s an increase of 145 percent.

Durbin believes that, in the world of COVID-19, enterprises and organizations need to rethink their approach to how they recruit and hire cybersecurity professionals. He recommends businesses develop champion or ambassadorial programs to reinforce the value of a career in information security, as well as consider new methods to encourage the recruitment of competencies and skills that are under-represented in the organization.

“In today’s COVID-19 reality, to rectify the continued cyber skills shortage, organizations are being encouraged to realign their focus to candidates with aptitude, attitude and broad experience,” Durbin said. “Redefining candidate requirements will enable organizations to expand their group of potential candidates, helping to build tomorrow’s security workforce in a cost-effective and timely manner.”

He added: “To build a sustainable security workforce, organizations should adapt to market demands by seeking candidates with diverse competencies and skill sets coupled with providing competitive benefits and structured career development. For some these changes are already underway but for the majority, the approach is still new and untried.”

More Effective Security Leadership

In addition to other findings, the ESG and ISSA survey notes that lack of training and career development can have an impact on the effectiveness of an organization’s CISO and how workers view their boss. 

Of those surveyed, about 42 percent rated their organization’s CISO as “very” effective, while another 47 percent thought of their security leader as “somewhat” effective. Another 12 percent rated their CIS as “not very” or “not at all” effective.

“Overall, there is room for improvement,” Oltsik wrote in the report. “This may reveal that few CISOs have the blend of business, leadership, communications, and technical skills necessary for success.”

One way for a CISO to become more effective is to ensure that cybersecurity is a shared burden across the whole enterprise, said Lisa Plaggemier, the chief strategy officer at MediaPro, a Seattle-based provider of cybersecurity and privacy education. This can include a wide range of improvements, from teaching developers to incorporating good security practices into the DevOps process. Employees should also be trained to recognize threats, such as phishing, before they damage the organization.

“Providing more security knowledge to people in IT, software developers, data architects, etc. so that they can do their jobs more securely could reduce the burden on the already stretched security professionals,” Plaggemier told Dice. “Some security teams resist enabling people outside of the security function, but as long as we ‘keep it all to ourselves’ and don’t work with the business, we will perpetually feel like we don’t have enough resources to get the job done.”

13 Responses to “Why the Cybersecurity Skills Gap Continues to Widen”

  1. Rus Burgess

    Another reason for the skills gap is the small pool of available candidates. When a company is looking to fill a position, it is rare to find one that is willing provide the required risk associated with a new background check (cost and time). Most companies seeking a cleared employee require that the clearance is already in place; if you cannot get those companies to take the risk, how can they expect to hire from such a limited pool? Candidates that already passed a federal suitability screening should be considered a minimal risk. Other candidates that have help a secret or higher clearance should also be considered a minimal risk as the period to be reviewed is shorter than a candidate without any prior clearance. So, the skills and background are there, but the current clearance status is the only criterion holding them back.

  2. Walter Wittel

    Take a look at the picture at the top of your article. It excludes ~50 percent of the population by sex, and many more by race and age. The industry might want to consider being more inclusive, and actually making people that aren’t young white males feel welcome and supported.

    • Oh stop it with the racial and inclusion stuff. I’m in a masters information systems program and there are countless women and minorities in there as well. Getting so tired of everything being about race and gender. .. How about your skills and accomplishments.. there’s something new.

      • Walter Wittel

        Bro, thanks for the great example of why most of the tech industry isn’t very diverse. And I’ll bet the “countless” women and minorities in your program could provide a more exact figure of the ratios in your program.

        • Well you know it is hard to select candidates from that ever decreasing pool of pristine white boys. Sooner or later they are just gonna have to hire women, maybe old folks with some experience and that most dreaded candidate of all people with any kind of skin pigmentation containing melanin.

  3. This is certainly a surprise to me. I really have to wonder about the “shortage” as I am a recent graduate from a cyber security program and the instructor admitted that many students could not even get interviews. I have my resume with several recruiters, but NO calls.
    I worked help desk at my school and my resume clearly says that I am looking for work in cyber security, but ALL the calls I get are for help desk because I have some experience in help desk at the school. When I ask recruiters about jobs in cyber security, they sort of give me a blank look over the phone; they have HEARD of it, but no demand for it. For that matter, I rarely see openings for entry level positions. Several people that graduated from my program are working….. “help desk”.

    • Rocky Dog

      Yes I do have to wonder about that shortage myself. I have a masters in cybersecurity. 20 years in infrastructure. Middle aged boring woman meaning not risky lifestyle no crime, no drugs. My job prospects worse.

    • The other problem I see isb they should be willing to take someone and mold them. They have entry-level positions, yet for these positions they want 5 to 7 years experience. Many want someone already seasoned, yet with the unicorn approach, the skills gap gets wider and vulnerabilities more exposed. Hackers are not waiting why should we??

  4. Bob Hatcher

    Ironically in Virginia due to the over abundance of federal jobs involving all branches of the military they are constantly pushing for people who know cybersecurity. However in most cases you have to have a secret or higher security to even get your foot in the door. I am an older person with near 50 years of experience who should be retired, but still have a house payment so I am trying to get a job, but every company wants security certifications so I have all the necessary CompTIA ones and working on CCNA 201-300 and so far nothing.

  5. Nice picture of young white boys. If companies would hire the rest of the population, there wouldn’t be a shortage. IT in general only hires young (under 40), white, and male. 20 years in IT and nothing for women.

  6. Daniel Bertram

    I need to retrain and get moving? Human services are get, but it’s not the only thing in life. Nice to help people, but I would like to help them in a different way. I am an old white male who wants to develop a new career. If you have suggestions as to where to begin to acquire experience and knowledge, I am game, but starting seems a bit disconcerting. Suggestions?? Please