Are you struggling to hire cybersecurity professionals for your business? You’re certainly not alone. The pandemic forced companies across industries to accelerate their digital transformation, adding more pressure to an already strained talent market. As a result, 43% of organizations said they can’t find the talent they need according to a recent study, while 61% admit it takes them three months or more to fill vacant cybersecurity positions.
The increasing complexity and frequency of cyber attacks, along with the evolving nature of these threats, has only heightened the importance of and demand for cybersecurity talent. As of 2021, there were around 3.5 million unfilled security job openings world-wide, and those jobs are expected to grow by 32% by 2028, far faster than the average for the overall market. In other words, as tricky as it is to fill these positions now, it’s only going to become more challenging if organizations don’t take proactive steps to expand their talent pool.
The Cybersecurity Roles and Skills Most In-Demand for 2022
One of the biggest challenges the cybersecurity job market presents for employers is that the skill set needed for these roles evolves quickly. Every new technology with a digital component has its own security needs and concerns, and the training and education available to tech candidates doesn’t always keep up with these shifting demands.
Among the most in-demand skill sets for cybersecurity workers are those related to penetration testing, a position also known as ethical hackers. These individuals help an organization protect sensitive data and information by trying to access the system the same way a malicious hacker would, identifying potential vulnerabilities so that the development team can address them. This requires both in-depth knowledge of security systems and a mix of soft skills, like a sharp eye for detail and creative problem solving ability.
There is also high demand for employees with backgrounds in application or cloud security. As more businesses utilize mobile applications to reach their audience, that increases the need for IT professionals who can protect against attacks and breaches in these programs. There’s been a similar uptick in the number of companies deciding to move to cloud-based systems. These services have a lot of benefits, especially for companies that use remote or hybrid models, letting their team access the tools and resources they need from anywhere. Unfortunately, that also opens up the possibility that others will gain entry. Because of this, even organizations that aren’t tech-focused increasingly need full-time information security professionals with experience designing and implementing security controls for cloud-based systems.
Is There Still a Cybersecurity Skills Gap?
The short answer to this is yes. The cybersecurity workforce has grown, but not nearly at the same rate as the number of jobs in the industry. The three areas highlighted above are where the talent supply has been most outpaced by growth in the number of opportunities: cloud computing security, application security, and security analysis and investigations.
This talent shortage has ramifications beyond increased risk of an attack or data breach. In a report released by the Information Systems Security Association (ISSA), they conducted a survey of current U.S. cybersecurity professionals about the challenges of their role. This research paints a somewhat dire picture of the current state of cybersecurity and the ways it’s likely to change in the future. Nearly two-thirds (62%) of people working in a cybersecurity role have seen their work load increase over the past year, while 38% report feelings of burnout. Most telling, 95% of respondents said this skill shortage has not improved over the past year. In fact, a little less than half (44%) feel the problem has only gotten worse.
Diversity in Cybersecurity Hiring
One way a company can help resolve this skill gap is by hiring professionals from under-represented groups. This is another area where current reports paint a somewhat grim picture. A 2021 article from We Forum shows that the industry is still overwhelmingly white, making up about 78% of the workforce, making black professionals (9%) and Asian professionals (8%) a distant second and third.
The hiring practices used in the cybersecurity market are a significant cause of this problem. Often, hiring teams will focus on headhunting talent from other companies, going after the same professionals as their competition. As a result, the same small pool of talent is passed back and forth between companies, and new professionals eager to break into the industry are ignored, often giving up their search and pivoting to different fields with an easier path to entry.
In addition, there is something of a catch-22 at play with many cybersecurity jobs. There are few truly entry-level positions available. Even candidates at associate or junior levels are expected to be experienced in the industry. If newcomers to the industry can never get hired, they have no way to gain the experience that would qualify them for these much-needed roles. Overcoming this problem starts with executives taking a hard look at their hiring practices and standards.
Overcoming the Cybersecurity Gender Gap
That We Forum report mentioned above also revealed disturbing figures on gender parity in the cybersecurity industry. Women represent about 24% of the cybersecurity workforce, despite comprising more than half of the overall population.
The same modifications to the hiring process mentioned above can also be an advantage for companies that want to improve their gender diversity. At the same time, though, organizations need to examine their culture to identify what might be deterring female professionals from applying to their openings. One issue is that cybersecurity professionals are often expected to work long hours or even have 24/7 on-call availability in some roles. This is a problem for applicants with families or caretaker responsibilities who may have all the right skills and knowledge but can’t reasonably drop their other commitments when work calls. Identifying and addressing the concerns that prevent qualified women from security jobs can help organizations resolve ongoing staffing shortages at the same time it creates a more diverse and inclusive overall workplace.
Other Hiring Trends in the Cybersecurity Field
The Top Cybersecurity Certifications
A Bachelor’s degree in computer science or a related field has been the standard education for a security engineer career for many years. This is still valuable education to have, but it doesn’t necessarily mean that person has the specific security skills an employer needs. An increasing number of job postings now ask for credentials and certifications beyond a 4-year degree, especially for senior positions and executive-level roles.
There are hundreds of these certifications available, including many focused on specific roles like Certified Ethical Hacker (CEH). For entry-level roles, Security+ certification is increasingly listed on job postings, and is appealing to job seekers because it can be obtained through self-guided courses online and doesn’t require prior industry experience to obtain.
For manager, director, and other leadership roles, a Certified Information Security Manager (CISM) credential is highly desirable. Obtained through the Information Systems Audit and Control Association (ISACA), this certification is geared toward mid-career professionals with at least five years of experience. Once obtained, certified professionals must continue to earn education credits to maintain their certification, so holding this certification doesn’t just indicate the professional’s current knowledge but also their dedication to continuous improvement.
Another advanced certificate for mid-career IT workers is the Certified Information Systems Security Professional (CISSP) offered by the International Information Systems Security Certification Consortium (ISC 2). Like the CISM certification above, a college degree and at least four years of experience in the industry are prerequisites for the credential.
Increased Demand for Fair and Competitive Compensation
Companies need cybersecurity professionals, but you wouldn’t necessarily know that from the pay rates many offer. In the 2021 ISSA survey, 33% of those who changed careers did so because their new role offered a higher salary. Higher compensation doesn’t just mean raising salaries, either. Nearly half of all respondents (48%) said their jobs don’t pay for ongoing training to maintain their skills, nor do they pay enough for the employees to fund this training out of their own pockets.
This is one of the most frustrating things for cybersecurity candidates. The same companies that bemoan the lack of reliable talent often don’t plan to pay those professionals what their skills are worth if they’re hired. For organizations struggling to attract and retain IT staff, performing salary benchmarking and other market research is a good first step to identify the problem. The bottom line is that if you truly value your cybersecurity talent, that needs to be reflected in the compensation they’re offered.
The Future of Cybersecurity
While the underlying causes of the current cybersecurity talent shortage are complex, one thing is clear: this isn’t a new issue, and it’s not going to go away on its own. The good news is that there are workers out there eager to launch their career as a security analyst or specialist if organizations know where and how to connect with them. For HR and business leaders, the time is now to interrogate your security needs, expectations, and hiring process.