Three-quarters of businesses in the UK and the US have been hit by a serious cyber attack at least once since 2019, a 25% increase from the 60% reported by survey responders in 2021.But just as the number of attacks seem to be reaching new heights, the number of available cyber practitioners to combat these threats is alarmingly low. According to (ISC)² research, the shortage of cybersecurity professionals is close to 3.4 million globally. Asia-Pacific is facing the largest talent shortfall with a gap of 2.16 million professionals. The shortage of cyber manpower has a significant impact on organizations, who struggle to fill the ranks.

Reasons for shortage

Why are we facing such a shortage? It is important to note that the Cybersecurity skills shortage is one facet of the larger IT skills shortage. In Australia, nearly half (46%)  of businesses cited lack of IT talent as their biggest challenge.

The supply for IT talent (and within it, cybersecurity one) is rather steady (comprised of the people graduating from universities, colleges and other training schemes), but the needs of the industry and government for such talents has boomed in recent years. Almost every organization is more technological than it used to be, relying on local and cloud resources for operation. Most organizations now have some sort of IT function- even very low-tech companies.  With cybersecurity being a specialized subset niche within the IT industry, it is easier to see why the shortage is more acute. In addition, regulators around the world are demanding that organizations fill specific cyber-related roles (for instance- a CISO) or create and operate security operations centers (SOC) – which results in additional manpower requirements. Another contributing factor is that Cybersecurity is a fairly new “profession”, and not  many young people are aware of it as a career choice. As a result, fewer dedicated training programs exist (in comparison to “general IT” training), producing an insufficient number of graduates. It is also possible that cultural and economic reasons contribute to the shortage. IT security is perceived as less “sexy” than development roles, and in many places, IT security professionals are not as highly paid as software developers. 

How to close the skills gap?

There are two ways of addressing the problem, locally and nation-wide. From a nation-wide perspective, governments must identify the gap, share this information with the public and address the issue. Sites such as aucyberexplorer portray cyber demand maps and help would-be cyber professionals in finding their next role.

Investment is then needed in order to curb this trend, allocating budgets for training schemes, widening the potential candidate pool by encouraging additional sectors of the population to engage in cybersecurity roles – women, minorities, veterans and older workers.  Allocating funds appropriately will support people’s decision for a career change into a cybersecurity position. Governments can also subsidize non-academic, professional courses (such asCompTIA Security, CISSP, CISA, CISM, CIPP, GIAC and others).

Sadly, all these initiatives (which are already being implemented by governments worldwide) are not enough and will not make an impact on the market in the coming years. It is down to the organization (or more accurately, the hiring managers), to come up with solutions. One way to deal with the problem is to offer premium salaries. In Australia, the average advertised cybersecurity annual salary is almost $130,000 – showing that organizations are willing to pay top dollar for talent. Additional activities should include scouting cyber and IT courses in the vicinity for potential candidates, offering internship programs, and also looking within the organization for potential candidates, offering them free training and certification to facilitate career change.

Organizations need to realize that not all cybersecurity positions were created equal. An entry-level position like a SOC analyst is very different from a malware researcher and as such could accommodate people with less experience. Experience can be quickly gained on the job particularly when coupled with hands-on training. Publishing job postings with an endless list of requirements will most likely drive good candidates away simply for lack of experience. If there’s one instance where you should be hiring for potential, not experience – cyber is it.

Conclusion and prediction

In recent years the job market has undergone tremendous changes. The move towards “work from anywhere”, the “Great Resignation” and now what seems to be the beginning of a recession. Throughout these changes, there is one steady trend, and that is the gap between vacant cybersecurity positions and available employees to fill them. It is unlikely that this trend will reverse or even slow (the opposite is the case). Organizations must act to address the challenge of hiring, training and retaining cyber talents. This will require new ways of thinking about who is hired, training opportunities pre and post employment and employee retention strategies together with a combination of people-centric tactics and technology.