Main image of article Tech Pros with Cybersecurity Skills Needed as Threats Grow

Over the last 10 months, cybersecurity spending has weathered economic uncertainty and rising interest rates better than the global tech industry as a whole. The Wall Street Journal recently found that the average cyber budget will increase by about 6 percent in 2023. 

While those numbers are not the double-digit growth seen in the previous two years for cybersecurity budgets, the modest increases show cybersecurity remains a top priority for many enterprises and organizations, even as other parts of the IT budget are trimmed and hiring tech talent remains tight.

Still, cybersecurity has its unique problems and challenges. In early October, ISACA released its annual State of Cybersecurity study that included responses from more than 2,100 cybersecurity professionals in North America, Europe, Asia and other parts of the world. The results showed that 48 percent of respondents believe their organizations are more vulnerable to threats now compared to the previous year.

At the same time, 59 percent of respondents told the researchers that their cybersecurity teams are understaffed.

Despite efforts by the White House and private industry to close the so-called skills gap over the last year, the ISACA study finds that more than half of the respondents (56 percent) report that retaining qualified talent is their biggest challenge. The numbers also show that about half of respondents indicated that their organization has job openings for non-entry level cybersecurity roles, with 21 percent reporting that their organization has job openings for entry-level security positions.

The ongoing need for skilled workers, combined with increasing threats, greater regulatory concerns and resource constraints, point to continued tough times ahead for cybersecurity. This is especially true for enterprises that need to improve their cyber posture, industry insiders and experts noted.

“There are some ways to close the gap, which include promoting cybersecurity education, offering mentorship and internships, increasing diversity and providing ongoing professional development opportunities,” Omri Weinberg, co-founder and chief revenue officer at security firm DoControl, told Dice. “Collaboration among stakeholders is essential to address this challenge effectively. It all starts at the top. If this is a top priority to the board of directors, CEO and other executives, they will invest more time, money and effort to educate the next generation alongside educational institutions to create more awareness and opportunities for the future of the cyber workforce.”

Tech Skills and Soft Skills

The ISACA study finds that organizations of all sizes need tech professionals who have a combination of hard technical skills and soft skills that can help them communicate to the larger organization about cyber threats and how to respond.

“One of the greatest challenges is finding individuals with both a technical and non-technical skill set,” said Mandy Pote, managing principal for strategy, privacy and risk at consulting firm Coalfire.

The ISACA survey respondents report that five technical skill sets are in high demand. These include:
 

  • Identity and access management (49 percent)
  • Cloud computing (48 percent)
  • Data protection (44 percent)
  • Incident response (44 percent)
  • DevSecOps (36 percent)

At the same time, however, soft skills such as communication (58 percent), critical thinking (54 percent), problem-solving (49 percent), teamwork (45 percent) and attention to detail (36 percent) are also in high demand. The difficulty for many enterprises is finding multiple candidates who have experience in both areas. 

This means companies need to look outside normal hiring channels. “The most effective way to find candidates with both technical and non-technical experience may require looking internally,” Pote told Dice. “Cross-training or job shadowing can be an effective tool to give individuals hands-on experience with new tasks outside of their daily routine to expose them to different skill sets.”

For tech pros beginning their careers, industry experts note that it’s best to acquire a good foundational education in IT, networking and cyber systems and then gain additional skills along the way, including soft skills that are valuable to the organization.

“Specialization can be beneficial—whether that's in artificial intelligence, cloud security, DevSecOps, threat intelligence or another area of interest,” Craig Jones, vice president of security operations at Ontinue, told Dice. “It’s worth noting that while technical skills are important, soft skills like communication, problem-solving and teamwork should not be overlooked, as these are equally important in a cybersecurity role.”

With much of the enterprise world working in remote or hybrid models for the foreseeable future, experts such as Ravi Pattabhi, vice president of cloud security at ColorTokens, noted that it’s not surprising that, of all the skills needed, those who understand cloud computing remain in high demand. 

“Companies are primarily looking for employees who have some experience using basic security tools such as pen testing and scanning tools,” Pattabhi told Dice. “In addition, rapid, global cloud adoption means it is really important for fresh grads to have some level of familiarity with cloud and securing cloud infrastructure. There is a great demand for college graduates with cloud experience in Amazon Web Services, Azure and Google Cloud Platform, especially developers.”

Thinking Outside Normal Recruiting Channels

The ISACA and other studies show that filling all the available cybersecurity positions remains an impossible goal without thinking outside normal recruiting channels, Pote and other industry experts noted. 

This includes looking within the organization for talented employees who might not work within the IT and security teams, but have the basic skills needed to fill critical roles.

“Employers need to take a more active approach to recruit from non-traditional backgrounds, which, in turn, significantly expands the candidate pool from just those with formal degrees to individuals, who, with the right training, have incredibly high potential,” Dave Gerry, CEO at Bugcrowd told Dice. “Additionally, this provides the opportunity for folks from diverse backgrounds, who otherwise wouldn’t be able to receive formal training, to break into the cybersecurity industry providing income, career and wealth-creation opportunities that they otherwise may not have access to.”

For organizations serious about cybersecurity, expanding the talent pool is a start, but more can be done. “Organizations need to continue to expand their recruiting pool, account for the bias that can currently exist in cyber-recruiting, and provide in-depth training via apprenticeships, internships and on-the-job training, to help create the next generation of cyber talent,” Gerry said.