The Cyber Security Skills Gap Is A Chicken & Egg Problem

Uploaded on 2024-04-18 in JOBS-Training, FREE TO VIEW, NEWS-Cybersecurity News

The cybersecurity workforce gap is now almost equal to the number employed in the sector, according to figures from ISC2 which found these are globally approaching 4m and 5.5m, respectively. In an effort to address the gap, we’ve seen a host of national drives by governments, from the US National Cyber Workforce and Education Strategy (NCWES) in the US to the National Cyber Strategy in the UK.

The latter has seen a concerted effort to rationalise the sector by the UK Cyber Security Council in the form of its Cyber Career Framework which maps sixteen specialisms and helps provide guidance on the qualifications and certifications in relation to each to support those aspiring to work in cyber.

All are to be applauded except there’s one crucial problem: there aren’t the jobs for these new entrants to apply to.

Job openings for experienced candidates outnumber those for entry level positions by a ratio of two to one, according to The State of Cybersecurity 2023 report from ISACA. It warns that without the creation of enough entry-level positions those that spend significant time and effort completing a cybersecurity pathway program cannot gain the necessary employment experience. This renders government initiatives as useless as they cannot compel enterprises to offer entry-level positions.  

Only The Experienced Need Apply

The vast majority of job openings are for experienced personnel. The Cyber Security Skills in the UK Labour Market 2023 commissioned by the government reveals that 59% of job postings request between two and six years of experience, with the bulk of skills shortages are among middle-management and other senior roles, which require three or more years of experience. This is in part due to the areas where skills shortages are falling. 

The most in demand technical skills are in cloud security. This was followed by risk assessment/management, security analysis and security engineering in the ISC2 report and security controls and implementation in the ISACA report. But top of the list when it comes to the skillsets missing among those with less than three years’ experience was also security controls, which suggests new candidates are not always coming to the market with the desired skillsets.

This may, in part, be due to fact that employers are increasingly becoming disillusioned with the cybersecurity degrees. According to ISACA, only 25% of degree syllabuses need to pertain to cybersecurity topics and less organisations now require a university-degree for entry-level positions. In the workplace, attitudes towards degrees are split: 28% agree university graduates are well prepared for cybersecurity challenges in a real world setting and 24% don’t in the ISACA study. But the ISC2 found the majority now favour experience over a degree (70% versus 30%) among entry level candidates.

The move away from degrees is generally welcomed within the industry, as it lowers the barriers to entry and sees independent study ie certifications and work experience valued more highly. A university degree now comes way down the list on desirable qualifications, after prior hands-on experience (72%), credentials (37%), and hands-on training (25%), according to ISACA. The problem remains, however, as to how candidates can obtain the necessary experience, particularly when that experience needs to span several years. 

Casualties Of The Economic Downturn

All of this points to the need for the commercial sector to step up and commit to taking on and training candidates rather than expecting a ready-made talent pool. But unfortunately, the economic downturn has resulted in quite the opposite. ISACA reports a drop in the number of employers reimbursing employees for university fees and certification fees, for example, while ISC2 found 35% of organisations have made cutbacks to their training programmes to conserve spend. It’s often a false economy, however, with those that don’t offer reimbursements revealed to be the businesses with the worst skills gaps, because under investment in the workforce typically leads to attrition.

The chicken and egg problem of the cybersecurity workforce crisis is therefore complex. Government initiatives that simply seek to blanket the sector with candidates are setting them up to fail, with debts from studying and no job to go into. Hirers are looking for skilled personnel who are diminishing as demand outstrips supply. And cash-strapped businesses are unable to take on the costs of training up green candidates because of a stalling economy and rising costs.  

Solving the problem will therefore take a number of seismic changes. We need organisations to be less blinkered in their approach and expand their hiring parameters to include non-experienced personnel. This is happening, albeit slowly, with 51% now changing their hiring requirements to recruit more people from non-cybersecurity backgrounds, states ISC2. Hiring practices that look for aptitude and potential in terms of technical competency by assessing soft skills such as problem solving, for instance, should be used to assess candidates.

Government initiatives also need to run alongside programmes that incentivise the commercial sector to take on and train candidates. We’ve seen the likes of the CyberFirst programme attempt to create a pipeline for the market which offers university bursaries and apprenticeship schemes but in reality this is a drop in the ocean and can’t match demand. So government supported schemes need to think bigger and work with private businesses to see the creation of entry level opportunities.

Businesses will need to draw upon raw talent and shape people in work placements, through training and mentoring, for example. But this presents a real opportunity to tailor and invest in the workforce and, by solving the problem themselves rather than relying on the market, it makes it less likely that skills gaps will emerge.

Without such radical action, the danger is that the over emphasis on unicorn and experienced job postings are likely to alienate potential applicants and deepen the workforce gap.

Jamal Elmellas is COO of Focus-on-Security

Image: AndreyPopov

You Mght Also Read: 

The Cybersecurity Skills Gap Is Not Just A Numbers Game:

DIRECTORY OF SUPPLIERS - Jobs & Recruitment:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Focus On Education With CYRIN Cyber Range
Overcoming Security Alert Fatigue »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

AlgoSec

AlgoSec

The AlgoSec platform enables the world’s most complex organizations to gain visibility, reduce risk and process changes at zero-touch across the hybrid network.

8MAN

8MAN

8MAN is a leading Access Rights Management (ARM) solution in Microsoft and virtual server environments.

Lares Consulting

Lares Consulting

Lares is a security consulting firm that helps companies secure electronic, physical, intellectual, and financial assets through a unique blend of assessment, testing and coaching.

National Cyber League (NCL)

National Cyber League (NCL)

The NCL provides a virtual training ground for participants to develop, practice, and validate their cybersecurity knowledge and skills.

D3 Security

D3 Security

D3's Smart SOAR platform is at the forefront of the security automation revolution, helping clients around the world to rapidly identify, analyze, and resolve advanced threats.

Touchstone Security

Touchstone Security

Touchstone Security is a company with a passion for technology, a hyper-focus on cybersecurity, and a special affinity for cloud technology.

OpSec Security

OpSec Security

OpSec Online is the only brand protection solution that spans all channels so your brands are protected no matter what digital venue the criminals target.

Palantir

Palantir

Palantir software empowers entire organizations to answer complex questions quickly by bringing the right data to the people who need it.

oneclick

oneclick

oneclick is a central access and distribution platform in the cloud, enabling the management of the entire technology stack for application provisioning.

Hex-Rays

Hex-Rays

Founded in 2005, privately held, Belgium based, Hex-Rays SA focuses on the development of fast, stable, and robust binary analysis tools for the IT security market.

Tromzo

Tromzo

Tromzo's mission is to eliminate the friction between developers and security so you can scale your application security program.

Cyber Protection Group (CPG)

Cyber Protection Group (CPG)

Cyber protection Group specialize in Penetration Testing. We work with enterprise level companies as well as small to medium sized businesses.

Sectyne

Sectyne

Sectyne is a full-stack cyber consultancy committed to providing tailored services, advisory consultations, and training.

Nudge Security

Nudge Security

Nudge Security offer the world's first-ever SaaS security solution to discover shadow IT and curb SaaS sprawl across any device or location and nudges employees towards optimal security behavior.

Akto

Akto

Akto, the plug & play API security platform. Discover your APIs, run tests and find business logic vulnerabilities at ludicrous speed.

Onum

Onum

Onum helps security and IT leaders focus on the data that's most important. Gain control of your data by cutting through the noise for deep insights in real time.