The global cybersecurity workforce gap has increased by 26.2% compared to 2021, with 3.4 million more workers needed to secure assets effectively, according the (ISC)2 2022 Cybersecurity Workforce Study.
This represents a stark increase in the shortage of cybersecurity professionals compared to 2021, which stood at 2.72 million. The research surveyed 11,779 individuals responsible for cybersecurity.
Expanding Recruitment
While the significantly increased gap is a big cause for concern, it also indicates that organizations are taking cybersecurity more seriously, according to (ISC)2’s CEO Clar Rosso, speaking exclusively to Infosecurity.
“While we saw the gap decrease during the height of the pandemic, most countries are far advanced in their post-pandemic recoveries and are continuing with digital transformation of a variety of back-office and public-facing functions. Hiring and workforce expansion has rebounded in a number of sectors post-pandemic as a result, including cybersecurity, delivering both the growth in the active workforce, as well as growth in the unfulfilled demand for cybersecurity practitioners. It is also encouraging, as the gap demonstrates increased awareness from organizations of the value of cybersecurity within their operations.”
Nevertheless, the need for extra cybersecurity staffing on top of an existing skills gap is putting organizations at significant risk. More than two-thirds (70%) of respondents reported that their organization does not have enough cybersecurity employees, with more than half arguing that staff deficits put their organization at a ‘moderate’ or ‘extreme’ risk of a cyber-attack.
Encouragingly, 72% of respondents expect their cybersecurity staff to increase somewhat or significantly within the next 12 months, which is higher than figures from the past two surveys (53% in 2021 and 41% in 2020). This follows the 11% rise in workers recorded this year. “The fact the workforce grew by 11%, some 464,000 is cause for celebration. Adding nearly half a million people to the active workforce is a significant investment in cyber safety and defense,” Rosso told Infosecurity.
Rosso also acknowledged the importance of government and broader industry initiatives to help organizations expand their workforce, particularly the ability to recruit those from non-traditional backgrounds.
“Significant inroads into reducing the cybersecurity skills gap can be made through government and industry initiatives to widen the talent pool and bring greater diversity and accessibility to cybersecurity jobs. Efforts like our own One Million Certified in Cybersecurity program, offering courseware and the exam for the (ISC)2 Certified in Cybersecurity certification for free to a million people globally, and to 100,000 people in the UK is an opportunity to bring a whole new generation of cybersecurity professionals into the workforce. From recent graduates to career changers and IT professionals looking to bolster their cybersecurity skillset, schemes such as this remove many of the economic, experience and accessibility barriers to entry that have limited growth in the talent pool and the active workforce,” she outlined.
Internal Factors
While finding enough qualified talent was cited as the biggest cause for the shortage of cybersecurity staff (43%), the research showed there were numerous other internal factors organizations should work on to address the skills deficit.
These included struggling to keep up with turnover/attrition (33%), not paying a competitive wage (31%), not having the budget (28%), not offering opportunities for growth/promotion for security staff (24%) and not putting enough resources into training non-security IT staff to become security staff (23%).
Unsurprisingly, stress and burnout were major concerns for cybersecurity professionals, with 70% feeling overworked. Additionally, culture and working conditions was a key consideration regarding whether an employee would leave their job. For example, over half would consider switching jobs if they are no longer allowed to work remotely.
While three-quarters of respondents reported both strong job satisfaction and feeling passionate about cybersecurity work, 68% of respondents with low employee ratings indicate workplace culture impacts their effectiveness in responding to security incidents. Additionally, only 28% said their organization actively listens and values the input of all staff.
A significant proportion of organizations appear to be taking steps to address these areas. Close to two-thirds (64%) of respondents said their organization is providing more flexible working conditions (e.g., work from home / work from anywhere), investing in training (64%) and recruiting, hiring and onboarding new staff (62%).
In the report’s press release, Rosso noted that retaining and attracting strong talent is more important than ever. “Professionals are saying loud and clear that corporate culture, experience, training and education investment and mentorship are paramount to keeping your team motivated, engaged and effective, she said.
The study also examined diversity, equity and inclusion (DEI) within cybersecurity teams. More than half (55%) of employees believe diversity will increase among their teams within the next two years. However, 30% of female and 18% of non-white employees said they feel discriminated against at work, and only 40% of organizations offer employee DEI training.
Reasons for Optimism
Summing up the report to Infosecurity, Rosso emphasized that there are signs of optimism despite the challenges being experienced.
“We are seeing a positive outlook for greater diversity in the workforce,” she said. “Respondents also reported a strong preference for remote working, something that many now enjoy as a by-product of the pandemic workplace shift that has greatly improved job accessibility in cybersecurity and aids efforts to level-up well-paid job opportunities outside of London and the major cities. Together with a strong organization investment in training and professional development, these insights represent encouraging progress for both addressing the gap and retaining the skilled professionals we already have.”