Credit: Dreamstime
The cyber security workforce shortage has risen to a record high of just under 4 million despite the cyber security workforce growing by almost 10 per cent in the last year.
That’s according to the latest Cybersecurity Workforce Study from ISC2, the nonprofit member organisation for cyber security professionals. The gap between the number of workers needed and the number available has risen 12.6 per cent year over year, with cutbacks, economic uncertainty, artificial intelligence (AI) and a challenging threat landscape as key driving forces, the research found.
The current global workforce gap is estimated to be 3,999,964 while the workforce itself is estimated to be 5,452,732, according to ISC2. Meanwhile, organisations are investing in strategies to prevent or mitigate the staffing issues they face.
Two-thirds of organisations lack staff needed to prevent, troubleshoot security issues
Two-thirds (67 per cent) of the 14,865 cyber security professionals surveyed reported that their organisation has a shortage of cyber security staff needed to prevent and troubleshoot security issues. Cost-saving cutbacks such as budget cuts, layoffs and hiring/promotions freezes are playing a fundamental role, the report found.
Overall, 47 per cent of cyber security workers have experienced cyber security-related cutbacks, with 22 per cent of this group having been impacted by layoffs within cyber security. An additional 28 per cent have had layoffs elsewhere in their organisations, which can significantly affect the cyber security workforce. Nearly half of respondents stated that cutbacks have affected their security team disproportionately in comparison to the rest of their organisation, with 71 per cent having experienced a negative impact on their workload and 57 per cent seeing their ability to respond to cyber security threats impacted as a result.
The entertainment (33 per cent), construction (31 per cent) and automotive (29 per cent) sectors have been hit particularly hard by layoffs in cyber security. The military/military contractor (8 per cent), government (9 per cent) and education (13 per cent) sectors have been the least affected. Geographically, Latin America (Brazil and Mexico) has seen the greatest layoffs, followed by Nigeria and United Arab Emirates. Countries with the fewest layoffs are Hong Kong, the US and Saudi Arabia.
Cyber security skills gaps just as challenging as shortages
Staffing shortages aren’t the only way that organisations are lacking in their cyber security workforce, with a clear and critical need to fill skills gaps in the cyber security profession also problematic, ISC2 found. A skills gap is an area in which cyber security teams lack workers with proficiency or expertise in particular skills that are necessary to function effectively.
More than half (59 per cent) of cyber security workers said that skills gaps can be worse than total worker shortages, while 92 per cent reported skills gaps at their organisation, the most common being cloud computing security, AI/ML and zero-trust implementation. Almost half (43 per cent) cited one or more significant or critical skills gap within their company. An inability to find people with the right skills (44 per cent), struggling to keep people with in-demand skills (42 per cent) and lacking the budget to hire people (41 per cent) are the biggest causes for these skills gaps, according to the report.
What’s more, layoffs seem to have a greater effect on skills gaps than they do on total staffing shortages. Most organisations that have had cyber security layoffs (51 per cent) have been impacted by one or more significant skills gaps compared to just 39 per cent of organisations that have not had layoffs, according to ISC2. Interestingly, 58 per cent of respondents stated that the negative impact of worker shortages can be mitigated by filling key skills gaps.
Business investing to tackle cyber security staff, skills shortages
Organisations are focusing on strategies for tackling the cyber security staff and skills shortages they face, the report found. Investing in training (72 per cent), providing more flexible working conditions (69 per cent), investing in diversity, equity and inclusion (DEI) initiatives, recruiting, hiring and onboarding of new staff (67 per cent) and using technology to automate aspects of the security job (65 per cent) were all cited as being high on the agenda.
Despite significant turmoil, cyber security workers appear fairly content with their roles, ISC2 noted. Almost three-quarters (70 per cent) reported being somewhat or very satisfied in their jobs – a 4 per cent dip compared to last year – while 82 per cent said they work well with security team members. The data also showed that the makeup of the cyber security workforce is changing both in gender and race/ethnicity. The biggest change was in non-white men by age; within the US, Canada, Ireland and the UK, 7 0per cent of cyber security professionals 60 or older are white men. In those same countries, just 37 per cent of those under 30 are white men. Two-thirds (66 per cent ) of security workers who entered the profession in the US, Canada, Ireland and the UK in the past 12 months were non-white.
Cyber security professionals clearly value a diverse workforce, with 69 per cent stating that an inclusive environment is essential for their team to succeed and 65 per cent stating that it is important that their security team is diverse. Over half of respondents (57 per cent) said that DEI will continue to become more important for their cyber security team over the next five years.
Cyber security workforce must double to tackle threats
“While we celebrate the record number of new cyber security professionals entering the field, the pressing reality is that we must double this workforce to adequately protect organisations and their critical assets,” said ISC2 CEO Clar Rosso. “Amid the current threat landscape, which is the most complex and sophisticated it has ever been, the escalating challenges facing cyber security professionals underscore the urgency of our message: organisations must invest in their teams, both in terms of new talent and existing staff, equipping them with the essential skills to navigate the constantly evolving threat landscape.”
