Cybersecurity is a global issue and a growing one too. Every 39 seconds, a cyber attack occurs, amounting to more than 30,000 website hacks every day.
If you have little connection to the cybersecurity industry and assume the skills shortage doesn’t impact you, you’re sorely mistaken. Digital infrastructure dictates every aspect of our lives — from healthcare to banking. And if there’s one thing we’re sure of: less available talent creates an insecure environment for more cyber attacks to occur… and this is an issue that affects everyone.
There were more than 700,000 cybersecurity job openings in the US between May 2021 and April 2022.
So, the question must be asked: where global demand is increasing and available talent is shrinking, what can organizations do to safeguard their organizations amidst growing attacks? In this article, we’ll delve into the current state of the cybersecurity skills gap, potential factors contributing to the shortage, and what this means for organizations — large and small.
Statistics that paint the frightening reality of cybersecurity threats
- 82% of organizations lack cybersecurity skills, according to a 2016 Center for Strategic International Studies (CSIS) report.
- In 2022, the average total cost of a data breach is $4.35 million.
- For more than a decade, the US has held the title for the highest cost of a data breach ($9.44 million). According to IBM, US data breaches cost over $5 million more than the global average.
- It is predicted that cybercrime may cost the global economy $10.5 trillion by 2025.
- Healthcare is the most heavily impacted industry by cybercrime — The cost of breaches in healthcare has increased 42% since 2020, costing $10.10 million per breach on average.
- It takes 277 days to identify and contain a data breach, on average. Those who contained a breach in less than 200 days saved around $1.12 million.
- According to IBM, the number of breaches caused by ransomware increased by 41% in the past year, taking 49 days longer to contain.
- 45% of all breaches occurred in the cloud between 2021 and 2022, according to IBM.
Five factors perpetuating the cybersecurity skills gap
According to Cybersecurity Ventures, the number of unfilled cybersecurity roles increased by 350% globally in just eight years. In 2013, there were one million open cyber jobs; in 2021, that number grew to 3.5 million. In the US alone, there are roughly 1.1 million filled cyber positions and more than 700,000 unfilled positions, according to Cyberseek.
According to a 2022 ISC2 survey, the global cybersecurity workforce is estimated at 4.7 million — an 11.1% increase since 2021. Although 464,000 jobs have been filled in the past year, the cybersecurity talent gap has grown twice as much as the workforce, increasing 26.2% year on year.
Let’s take a closer look at what reasons could be contributing to and worsening the cybersecurity skills shortage.
1. Cybersecurity demands are skyrocketing
The need for skilled professionals is growing increasingly fast. With advancements in technology and the rate at which organizations are becoming more dependent on technology to run their operations, store data, and communicate with clients, the demand for cyber employees far outweighs the current supply. But why exactly? The evolving threat landscape is growing in complexity, requiring skilled cyber professionals to help fix and mitigate the risks.
Additionally, the demand grew much faster than what the workforce was prepared for (350% increase in eight years), resulting in organizations experiencing the impact of unpredictable events like COVID-19 — where remote working made organizations even more vulnerable to cyberattacks, causing a spike in cybercrime.
The existing workforce is battling growing pressure and demands. On the one hand, they’re expected to safeguard their organizations from threats that are increasing in complexity, sophistication, and frequency. And on the other hand, they’re trying to stay updated with new technology and regulatory requirements.
2. The cybersecurity workforce lacks diversity
Roughly only 25% of cybersecurity workers are female globally, according to ISC2. Additionally, an Aspen Institute study found that the US cyber workforce identify as 4% Hispanic, 9% black, 6% Asian, and 1% native or native Hawaiian.
It’s unclear why diversity has been lacking in this industry for some time. Yet, researchers believe it could be the culmination of various factors, including industry stereotypes discouraging certain groups, organizations failing to prioritize inclusion and diversity, and educational institutions not offering enough course variety to all students. For example, according to an ISC2 study, 77% of respondents revealed their curriculum didn’t offer formal cybersecurity education.
According to a Trellix survey, respondents believe the following factors are highly or extremely important to address to encourage more people to enter the industry:
- Inclusivity and equality for women — 79%
- Industry diversity — 77%
- Pay gaps between demographic groups — 72%
- Employers considering applicants from non-traditional cybersecurity backgrounds — 94%
- Additional efforts to broaden the cybersecurity talent pool from diverse groups — 91%
- More mentorships, internships, and apprenticeships to support people from diverse backgrounds to enter the industry — 92%
While we have a long way to go to achieve true diversity in cybersecurity, private and public sector entities are prioritizing initiatives that give access to underrepresented candidates. Why exactly? Diversity matters in the workforce. Firstly, it’s proven to improve productivity and bottom-line outcomes, and secondly, it gives organizations a broader and more diverse talent pool to choose from — a particularly advantageous factor amidst a candidate shortage.
3. Unnecessary candidate requirements
In an industry already feeling the full weight of the skills shortage, adding unnecessary requirements to the application process is a sure way to deter potentially suitable candidates.
Up until recently, gaining access to a career in cybersecurity often required a relevant college degree, various cyber certifications, and experience. Yet, the degree requirement alone is enough to automatically eliminate a huge portion of potential candidates, given more than 60% of Americans don’t hold a bachelor’s degree.
Candidates come from diverse backgrounds and attain their skills through several pathways — whether a college degree or self-teaching — and now more than ever, acknowledging the many routes one can take is needed to help close the cyber skills gap.
4. Cybersecurity is a mysterious industry
According to a Trellix survey of existing cybersecurity professionals, one potential reason contributing to the cybersecurity skills gap is the lack of industry understanding — including skill development, how to enter the industry, the career path options, and how it contributes to society.
According to respondents, the following factors are deemed extremely important for encouraging more workers into a career in cybersecurity:
- 85% believe more support is needed for skills development
- 84% believe in improving the understanding of what’s needed to enter a career in cybersecurity
- 80% believe a better understanding of potential career paths and progression is needed
- 80% believe more acknowledgment of how cybersecurity professionals contribute to society is needed
- 80% believe in improving support for qualifications and certifications
Similarly, when asked which of the following options would best encourage candidates to join the cybersecurity industry, respondents ranked the following most important:
- 43% of respondents believe more efforts need to be made to raise awareness of cybersecurity careers
- 41% of respondents believe more encouragement needs to be given to students to pursue STEM-related careers throughout education
- 39% of respondents believe further funding support for cybersecurity qualifications and certifications is needed
- 33% of respondents believe further funding is needed for STEM-related careers
- 28% of respondents believe changing the required qualifications is a much-needed change
5. The existing cybersecurity workforce is dissatisfied
Recent findings suggest that finding new candidates to join the cybersecurity workforce isn’t the only issue the industry faces. They’re also struggling to retain talent. According to a Trellix survey, 30% of cybersecurity professionals plan to change careers within two or so years.
Consider the following findings:
- Almost 70% of cybersecurity workers feel their employer doesn’t have an adequate cybersecurity team to be effective, according to the 2022 ISC2 survey.
- Of the one-third of professionals wanting to leave the cybersecurity profession, most future exits are due to feeling undervalued by their workplace or that there aren’t clear opportunities to progress. According to the Trellix survey, cybersecurity workers are looking to leave due to a lack of career progression (35%), a lack of acknowledgment (31%), and not enough support to improve their skills (25%).
- The same Trellix survey also found reasons for wanting to leave the profession included burnout and salary dissatisfaction.
What does the cybersecurity skills crisis mean for organizations?
Since 2019, the FBI has seen a 69% increase in cybercrime-related attacks. Similarly, the prevalence and impact of data breaches in the United States have hit a new record, averaging a total cost of $4.35 million in 2022 — a 12.7% increase from 2020.
Yet, according to a 2016 Center for Strategic and International Studies (CISIS) study, organizations aren’t adequately prepared to tackle these costly threats. 82% of respondents admit a lack of cybersecurity skills within their organization, and 71% acknowledge that the skills gap makes their organization more vulnerable to outside threats.
Cybercrime is growing at an alarming rate, and a lot of it is due to the scarce resources to help defend organizations’ critical assets. As a result, organizations are more vulnerable and susceptible to outside threats. Yet, the risks can be mitigated. Consider the following:
1. Hire a cybersecurity team or specialist
If budget allows, and your organization’s size and structure call for it, it might be time to invest in a cybersecurity professional. However, be willing to pay the price — due to the growing demand, tech salaries hit a record high in 2021, with the average US tech salary sitting at $104,566. While supply is low, organizations must increase salaries and packages to attract scarce talent.
2. Invest in AI security
Many organizations are leaning on AI-powered tools to help identify threats and secure sensitive data. According to IBM, organizations that have deployed security AI and automation have experienced an average cost saving of $3.05 million on data breaches.
3. Train your existing team
If you don’t have a cybersecurity team or specialist, you need to focus on educating your team on what to be aware of and what to do in instances where they suspect a breach. Consider upskilling your team in cybersecurity courses or testing their existing skills with our cybersecurity assessment. When it comes to cyber security awareness, it’s everyone’s responsibility to help minimize its impact.
4. Consider the wellbeing of your existing cybersecurity professionals
According to Mimecast’s State of Email Security 2022 report, 84% of cybersecurity professionals in North America alone admitted to experiencing burnout, resulting from more cyber threats, too few candidates (i.e., talent shortage), and other employees’ making burnout-driven mistakes. If your organization has an existing cybersecurity team or specialist, it’s essential to check their wellbeing to ensure they’re satisfied and supported.
There are more threatening cyberattacks than ever before — in sheer numbers and sophistication. Cyberattacks are increasing at an alarming rate, and there are not enough people to help safeguard the online world. As such, this puts organizations — large and small — at risk of being exposed to greater online danger.
While various factors contribute to the cybersecurity skills shortage, we know greater prioritization needs to be given to educate both organizations and individuals on the industry, as well as how to mitigate the risks.
Organizations can start by educating their existing workforce on identifying and resolving threats, expanding their team to make room for a cybersecurity specialist, or ensuring their existing cybersecurity team has the support they need to feel satisfied in the role.