For the second straight year, the worldwide cybersecurity skills gap shrunk, according to a study recently published by the non-profit ISC2 (International Information Systems Security Certification Consortium). The report included responses from more than 4,700 security and IT professionals working in North America, Europe, Latin America and the Asia-Pacific region.
The study found that the global shortfall of skilled security professionals declined from 3.12 million in 2020 to 2.72 million this year. Overall, the ISC2 report estimated there are now about 4.2 million cybersecurity pros working throughout the world. This increase in cyber professionals and the closing of the skills gap also comes at a time when most organizations are continuing to rely on a remote or hybrid workforce that remains a tempting target for attackers and fraudsters.
“The pandemic has fundamentally changed where organizations maintain their business-critical data and how and where employees access them,” said John Morgan, the CEO of security firm Confluera. “Despite some organizations starting to return to partial in-office operations, the concept is no longer seen as a required norm but rather part of a flexible work model. This has profound implications for cybersecurity professionals.”
Despite these gains, the ISC2 study also shows that the global cybersecurity workforce is still about 65 percent below what organizations need to fill all the current open cybersecurity positions worldwide. The APAC region, for example, has a skills gap of about 1.42 million, while North America reports about a 400,000 shortfall.
And certain skills still matter. About 45 percent of survey respondents report that cloud infrastructure is their main area of concern, reflecting the new reality of how employees access data. Endpoint security, application security, mobile device management and knowledge of zero trust concepts round out the top five.
“The cybersecurity workforce—the very people on the front lines defending our critical assets around the world—are telling us where talent is needed most; that old habits in hiring need to change; that technology spending alone won’t fix our problems; that remote work is a greater opportunity than a threat; and that they expect meaningful diversity, equity and inclusion (DEI) initiatives from their employers,” according to the ISC2 report.
Closing the Gap
While there is no one particular reason why the skills gap has closed recently, some security experts and analysts see that an increasing focus on cybersecurity by the U.S. government, coupled with several high-profile attacks, has moved security up the priority chain.
Earlier this year, President Joe Biden not only signed an extensive executive order focused on cybersecurity but also hosted a meeting at the White House with several companies that resulted in promises to train and hire more security professionals. Microsoft, one of the companies in attendance for that meeting, has also promised to provide training materials and scholarships to public community colleges to address security skills.
“An impact on the skills gap is the government focus on cybersecurity such as the Biden administration executive order on improving the United States’ cybersecurity stature, the K-12 Cybersecurity Act signed by President Biden and the guidance issued by the National Security Agency and Cybersecurity and Infrastructure Security Agency focused on how to choose the right VPN technology,” Heather Paunet, senior vice president at security firm Untangle, told Dice.
“These executive orders and guidance are compelling businesses to take seriously the measures they need to put in place to protect themselves. This includes staffing with the right expertise to follow those guidelines,” Paunet added. “However, the demand is outpacing the resource pool, which has not caught up yet.”
Despite these talks, thousands of open cybersecurity jobs remain. One estimate from Cyber Seek, a job-tracking database developed by the Department of Commerce and CompTIA, estimates there are 465,000 open cyber positions across the U.S., with about 36,000 of these positions open across federal, state and local government agencies.
John Bambenek, a principal threat hunter at Netenrich, noted that another way to help close the skills gap is not by hiring more cybersecurity professionals, but by baking security into areas such as hardware creation and the DevOps process. By tackling fundamentals, organizations can free up time and space for advanced security operations.
“Software engineers need to know how to write secure code, device manufactures need to know how to make hardened and secure IoT systems, and cloud administrators need to know how to secure cloud services,” Bambenek told Dice. “While I need more cybersecurity professionals, I need everyone in the technology ecosystem to up-level their security skills so I don’t have so much to do to start. The biggest of these is knowledge in cloud security—as that is where many applications are going—and secure coding. If we can solve those two, we’re solving much of today’s threat landscape.”
Can ‘Networking’ Help?
Several security experts noted that they would like to see more security professionals develop skills or have experience with enterprise-level networking technologies as a way to better understand the complexities of modern infrastructure, whether it’s still on-premises or moved to the cloud.
On a practical level, Paunet recommends both the Cisco Certified Network Associate certificate as well as the more advanced Cisco Certified Network Professional certificate as two ways to help build up additional credentials in the cybersecurity field. She also believes that other traits, such as critical thinking, can make a difference.
“In order to close the skills gap, businesses would do well to attract candidates with other strong skills—critical thinking, business analysis—by offering them to come on board and go through that training while employed—giving them the funding and time to get certified while on the job,” Paunet said.
John Hellickson, a cyber executive advisor at consulting firm Coalfire, also sees ways of closing the skills gaps and moving motivated professionals into new cyber careers by tapping into the hidden talents of network architects, as well as taking those employees working at network operations centers and giving them added training to prepare for careers in security operations centers (SOCs).
“Also, be ready and open for your team members to move on to increased roles at other organizations as they continue to hone their skills, as these moves should be celebrated even though there are challenges to backfill,” Hellickson told Dice. “Become good at recognizing fatigue and burnout so you can retain the talent you do have who may be more on the front lines of the threats your company faces. Lastly, look at joining non-profits that focus on growing the next generation of cybersecurity talent, such as the Security Advisor Alliance.”
Confluera’s Morgan also notes that while automation can solve some issues, it’s up to organizations to subsequently move resources around to put the right people in place to help tackle larger cybersecurity issues.
“Organizations have to deploy solutions that maximize the resources they have—better directing their security analyst resources to investigate issues that ‘matter’ while automating preventative security into a DevSecOps culture,” Morgan told Dice.