The Cyber Security Skills Gap Is A Chicken & Egg Problem

The cybersecurity workforce gap is now almost equal to the number employed in the sector, according to figures from ISC2 which found these are globally approaching 4m and 5.5m, respectively. In an effort to address the gap, we’ve seen a host of national drives by governments, from the US National Cyber Workforce and Education Strategy (NCWES) in the US to the National Cyber Strategy in the UK.

The latter has seen a concerted effort to rationalise the sector by the UK Cyber Security Council in the form of its Cyber Career Framework which maps sixteen specialisms and helps provide guidance on the qualifications and certifications in relation to each to support those aspiring to work in cyber.

All are to be applauded except there’s one crucial problem: there aren’t the jobs for these new entrants to apply to.

Job openings for experienced candidates outnumber those for entry level positions by a ratio of two to one, according to The State of Cybersecurity 2023 report from ISACA. It warns that without the creation of enough entry-level positions those that spend significant time and effort completing a cybersecurity pathway program cannot gain the necessary employment experience. This renders government initiatives as useless as they cannot compel enterprises to offer entry-level positions.  

Only The Experienced Need Apply

The vast majority of job openings are for experienced personnel. The Cyber Security Skills in the UK Labour Market 2023 commissioned by the government reveals that 59% of job postings request between two and six years of experience, with the bulk of skills shortages are among middle-management and other senior roles, which require three or more years of experience. This is in part due to the areas where skills shortages are falling. 

The most in demand technical skills are in cloud security. This was followed by risk assessment/management, security analysis and security engineering in the ISC2 report and security controls and implementation in the ISACA report. But top of the list when it comes to the skillsets missing among those with less than three years’ experience was also security controls, which suggests new candidates are not always coming to the market with the desired skillsets.

This may, in part, be due to fact that employers are increasingly becoming disillusioned with the cybersecurity degrees. According to ISACA, only 25% of degree syllabuses need to pertain to cybersecurity topics and less organisations now require a university-degree for entry-level positions. In the workplace, attitudes towards degrees are split: 28% agree university graduates are well prepared for cybersecurity challenges in a real world setting and 24% don’t in the ISACA study. But the ISC2 found the majority now favour experience over a degree (70% versus 30%) among entry level candidates.

The move away from degrees is generally welcomed within the industry, as it lowers the barriers to entry and sees independent study ie certifications and work experience valued more highly. A university degree now comes way down the list on desirable qualifications, after prior hands-on experience (72%), credentials (37%), and hands-on training (25%), according to ISACA. The problem remains, however, as to how candidates can obtain the necessary experience, particularly when that experience needs to span several years. 

Casualties Of The Economic Downturn

All of this points to the need for the commercial sector to step up and commit to taking on and training candidates rather than expecting a ready-made talent pool. But unfortunately, the economic downturn has resulted in quite the opposite. ISACA reports a drop in the number of employers reimbursing employees for university fees and certification fees, for example, while ISC2 found 35% of organisations have made cutbacks to their training programmes to conserve spend. It’s often a false economy, however, with those that don’t offer reimbursements revealed to be the businesses with the worst skills gaps, because under investment in the workforce typically leads to attrition.

The chicken and egg problem of the cybersecurity workforce crisis is therefore complex. Government initiatives that simply seek to blanket the sector with candidates are setting them up to fail, with debts from studying and no job to go into. Hirers are looking for skilled personnel who are diminishing as demand outstrips supply. And cash-strapped businesses are unable to take on the costs of training up green candidates because of a stalling economy and rising costs.  

Solving the problem will therefore take a number of seismic changes. We need organisations to be less blinkered in their approach and expand their hiring parameters to include non-experienced personnel. This is happening, albeit slowly, with 51% now changing their hiring requirements to recruit more people from non-cybersecurity backgrounds, states ISC2. Hiring practices that look for aptitude and potential in terms of technical competency by assessing soft skills such as problem solving, for instance, should be used to assess candidates.

Government initiatives also need to run alongside programmes that incentivise the commercial sector to take on and train candidates. We’ve seen the likes of the CyberFirst programme attempt to create a pipeline for the market which offers university bursaries and apprenticeship schemes but in reality this is a drop in the ocean and can’t match demand. So government supported schemes need to think bigger and work with private businesses to see the creation of entry level opportunities.

Businesses will need to draw upon raw talent and shape people in work placements, through training and mentoring, for example. But this presents a real opportunity to tailor and invest in the workforce and, by solving the problem themselves rather than relying on the market, it makes it less likely that skills gaps will emerge.

Without such radical action, the danger is that the over emphasis on unicorn and experienced job postings are likely to alienate potential applicants and deepen the workforce gap.

Jamal Elmellas is COO of Focus-on-Security

Image: AndreyPopov

You Mght Also Read: 

The Cybersecurity Skills Gap Is Not Just A Numbers Game:

DIRECTORY OF SUPPLIERS - Jobs & Recruitment:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Focus On Education With CYRIN Cyber Range
Overcoming Security Alert Fatigue »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Tresorit

Tresorit

Tresorit helps teams to collaborate securely and easily by protecting their data with end-to-end encryption.

Ezenta

Ezenta

Ezenta is a Danish IT security consulting firm.

Convercent

Convercent

We offer comprehensive and integrated compliance management, reporting, and analytics. A 360-degree view of compliance drives efficiency by aligning initiatives and data into a single dashboard.

Optiv

Optiv

Optiv is a market-leading provider of end-to-end cyber security solutions. We help clients plan, build and run successful cyber security programs that achieve business objectives.

Digital Ship

Digital Ship

Digital Ship provides news, information, conferences and events focused on digital ship systems, information technology and security relating to maritime operations.

BigPanda

BigPanda

BigPanda is the first provider of Autonomous Operations solutions that empower IT Operations at large, complex enterprises.

Outseer

Outseer

Outseer is a leading technology company in the fight against payments fraud. Outseer reliably determines authentic customers from fraudulent behavior.

Eastern Cyber Resilience Centre (ECRC)

Eastern Cyber Resilience Centre (ECRC)

The Eastern Cyber Resilience Centre is part of the national roll out of Cyber Resilience Centres in the UK which began in 2019.

McDonald Hopkins

McDonald Hopkins

McDonald Hopkins is a business advisory and advocacy law firm. We focus on insightful legal solutions that help our clients strategically plan for an increasingly competitive future.

Tentacle

Tentacle

Tentacle has developed a configurable data management tool that helps organizations to improve their information security programs and overall security posture.

Atlantic Data Security

Atlantic Data Security

Atlantic Data Security is skilled in the analysis, recommendation, deployment, and management of all critical components of the security infrastructure.

Q5id

Q5id

At Q5id, we prove that your customers' digital identity and real-world identity are the same, our verification and authentication solution delivers a Proven and Secure digital identity for everyone.

European Union Agency for Network and Information Security (ENISA)

European Union Agency for Network and Information Security (ENISA)

The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe.

Cygna Labs

Cygna Labs

Cygna Labs is a software developer and one of the top three global DDI (DNS, DHCP, and IP address management) vendors.

Queen Consulting & Technologies

Queen Consulting & Technologies

Queen Consulting & Technologies specialize in providing IT support, management, and Security to Gov’t Contractors, CPAs, and Nonprofits.

ZEST Security

ZEST Security

The ZEST platform natively integrates into your technology stack to make efficient risk remediation possible.