The global cybersecurity workforce grew to encompass 4.7 million people, reaching its highest-ever levels, according to (ISC)2 2022 workforce study. That’s the encouraging news.
However, the same study found that there is still a need for more than 3.4 million security professionals, an increase of over 26% from 2021’s numbers. This reverses a trend seen in (ISC)2's 2021 study, where the number of open cybersecurity jobs actually dropped over a two-year period.
Will the 2022 trend continue in 2023 or was this year just a blip in what had otherwise been promising employment news from the start of this decade?
“I believe the cybersecurity talent gap will remain an ongoing challenge in 2023,” said Caroline Vignollet, SVP of research and development at OneSpan.
The core problem, adding to the security gap, remains unchanged. The demand for cybersecurity is greater than ever, due to an evolving threat landscape with attacks that are more difficult to detect and defend. But the available potential workforce isn’t keeping pace with that demand, largely because of a lack of interest from young people entering the job market.
“Over the years, working in the cybersecurity industry has unfortunately been positioned as an unfavorable experience, which has resulted in the younger generation showing less interest in it,” said Vignollet.
The youth gap
Industry can blame the lack of interest among today’s college students and recent graduates on insufficient curriculum in STEM studies, said Taylor Ellis, customer threat analyst at Horizon3ai.
Too many current and former students lack the adequate skills in math and science, Ellis said, which prevents them from qualifying for advanced programs in technology that could steer them towards cybersecurity careers.
“As a result, many managers report that the main problem with closing the talent gap has more to do with skills rather than with the recruiting of cyber professionals,” said Ellis.
Too many organizations hiring cybersecurity talent are looking for unicorns — those candidates who are able to check off every single box on the application form. Instead, it is more important to remember that technical skills can often be taught.
What those looking for cybersecurity staff should look at in individual applicants are the soft skills, which tend to come naturally rather than through classroom education.
“The technical/soft skills combination is often what companies need to foster continuous strengthening of their cybersecurity posture,” said Ellis.
Having high adaptability that comes with this mix of technical and soft skills is crucial in the cyber industry. While an individual may be talented in one niche, they will eventually be asked to take on new duties as technologies emerge.
For example, a new hire may have experience in cloud security, but working in the cloud is rapidly expanding to include areas such as artificial intelligence, blockchain and IoT.
“When recruiting for cybersecurity positions, it is important for businesses to think about an individual’s level of adaptability and flexibility when handling technical issues,” said Ellis.
Companies should be looking for personnel who also have the determination and drive to learn from both their managers and other sources. This includes recruiting personnel who have experience performing technical skills on their own (self-taught is often the most valuable) and those with a strong aptitude for problem solving and trial and error.
As long as candidates are pigeon-holed into narrow educational paths, both at a corporate level and at the educational level, it will be more difficult to attract young people into the field.
What universities are doing
While many organizations have begun to look from within to train and promote current employees to take on cybersecurity roles, colleges will have to address the larger talent gap. The problem is that cybersecurity is a relatively new field and higher education is slow to evolve when it comes to new curricula.
“Universities and their structure are built on research and rigor,” Will Carlson, senior director of content with Cybrary. This can often mean that they struggle to apply that model to emergent fields such as cybersecurity.
But another problem in higher education looms: There is a shortage of university professors willing and able to teach cybersecurity to students.
“With the competitive increase in salary pay for the past ten years, many qualified cyber professionals prefer to work full-time in the private sector rather than teaching nights at college,” said Ellis.
But there is hope on the horizon. More universities are implementing courses specific to cybersecurity, and a growing number of cybersecurity professionals recognize that teaching, even on a part-time basis, improves their personal reputation within the industry and can lead to better opportunities.
Universities are partnering with the corporate sector, which allows students to practice their technical skills in a realistic cybersecurity setting.
These hands-on experiences will help students and provide companies with more talent to fill open jobs. In addition, the federal government is taking steps like the National Cyber Workforce and Education Summit that was held at the White House earlier in 2022.
But it will take time for these initiatives to take root.
“I would relish this prediction being wrong, but I believe we'll be lucky to see the skill gap remain flat in 2023,” said Carlson.