The Cyber Security Skills Gap Is A Chicken & Egg Problem

The cybersecurity workforce gap is now almost equal to the number employed in the sector, according to figures from ISC2 which found these are globally approaching 4m and 5.5m, respectively. In an effort to address the gap, we’ve seen a host of national drives by governments, from the US National Cyber Workforce and Education Strategy (NCWES) in the US to the National Cyber Strategy in the UK.

The latter has seen a concerted effort to rationalise the sector by the UK Cyber Security Council in the form of its Cyber Career Framework which maps sixteen specialisms and helps provide guidance on the qualifications and certifications in relation to each to support those aspiring to work in cyber.

All are to be applauded except there’s one crucial problem: there aren’t the jobs for these new entrants to apply to.

Job openings for experienced candidates outnumber those for entry level positions by a ratio of two to one, according to The State of Cybersecurity 2023 report from ISACA. It warns that without the creation of enough entry-level positions those that spend significant time and effort completing a cybersecurity pathway program cannot gain the necessary employment experience. This renders government initiatives as useless as they cannot compel enterprises to offer entry-level positions.  

Only The Experienced Need Apply

The vast majority of job openings are for experienced personnel. The Cyber Security Skills in the UK Labour Market 2023 commissioned by the government reveals that 59% of job postings request between two and six years of experience, with the bulk of skills shortages are among middle-management and other senior roles, which require three or more years of experience. This is in part due to the areas where skills shortages are falling. 

The most in demand technical skills are in cloud security. This was followed by risk assessment/management, security analysis and security engineering in the ISC2 report and security controls and implementation in the ISACA report. But top of the list when it comes to the skillsets missing among those with less than three years’ experience was also security controls, which suggests new candidates are not always coming to the market with the desired skillsets.

This may, in part, be due to fact that employers are increasingly becoming disillusioned with the cybersecurity degrees. According to ISACA, only 25% of degree syllabuses need to pertain to cybersecurity topics and less organisations now require a university-degree for entry-level positions. In the workplace, attitudes towards degrees are split: 28% agree university graduates are well prepared for cybersecurity challenges in a real world setting and 24% don’t in the ISACA study. But the ISC2 found the majority now favour experience over a degree (70% versus 30%) among entry level candidates.

The move away from degrees is generally welcomed within the industry, as it lowers the barriers to entry and sees independent study ie certifications and work experience valued more highly. A university degree now comes way down the list on desirable qualifications, after prior hands-on experience (72%), credentials (37%), and hands-on training (25%), according to ISACA. The problem remains, however, as to how candidates can obtain the necessary experience, particularly when that experience needs to span several years. 

Casualties Of The Economic Downturn

All of this points to the need for the commercial sector to step up and commit to taking on and training candidates rather than expecting a ready-made talent pool. But unfortunately, the economic downturn has resulted in quite the opposite. ISACA reports a drop in the number of employers reimbursing employees for university fees and certification fees, for example, while ISC2 found 35% of organisations have made cutbacks to their training programmes to conserve spend. It’s often a false economy, however, with those that don’t offer reimbursements revealed to be the businesses with the worst skills gaps, because under investment in the workforce typically leads to attrition.

The chicken and egg problem of the cybersecurity workforce crisis is therefore complex. Government initiatives that simply seek to blanket the sector with candidates are setting them up to fail, with debts from studying and no job to go into. Hirers are looking for skilled personnel who are diminishing as demand outstrips supply. And cash-strapped businesses are unable to take on the costs of training up green candidates because of a stalling economy and rising costs.  

Solving the problem will therefore take a number of seismic changes. We need organisations to be less blinkered in their approach and expand their hiring parameters to include non-experienced personnel. This is happening, albeit slowly, with 51% now changing their hiring requirements to recruit more people from non-cybersecurity backgrounds, states ISC2. Hiring practices that look for aptitude and potential in terms of technical competency by assessing soft skills such as problem solving, for instance, should be used to assess candidates.

Government initiatives also need to run alongside programmes that incentivise the commercial sector to take on and train candidates. We’ve seen the likes of the CyberFirst programme attempt to create a pipeline for the market which offers university bursaries and apprenticeship schemes but in reality this is a drop in the ocean and can’t match demand. So government supported schemes need to think bigger and work with private businesses to see the creation of entry level opportunities.

Businesses will need to draw upon raw talent and shape people in work placements, through training and mentoring, for example. But this presents a real opportunity to tailor and invest in the workforce and, by solving the problem themselves rather than relying on the market, it makes it less likely that skills gaps will emerge.

Without such radical action, the danger is that the over emphasis on unicorn and experienced job postings are likely to alienate potential applicants and deepen the workforce gap.

Jamal Elmellas is COO of Focus-on-Security

Image: AndreyPopov

You Mght Also Read: 

The Cybersecurity Skills Gap Is Not Just A Numbers Game:

DIRECTORY OF SUPPLIERS - Jobs & Recruitment:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Focus On Education With CYRIN Cyber Range
Overcoming Security Alert Fatigue »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Caldew Consulting

Caldew Consulting

Caldew specialise in providing information assurance and cyber security consultancy, covering the full spectrum of the security life cycle.

iStorage

iStorage

iStorage is the leading global provider of PIN Activated, hardware encrypted, portable data storage solutions.

Boxcryptor

Boxcryptor

Boxcryptor encrypts your sensitive files before uploading them to cloud storage services.

NetDiligence

NetDiligence

NetDiligence is a privately-held cyber risk assessment and data breach services company.

SQNetworks

SQNetworks

SQNetworks provides a full range of cybersecurity consultancy, services and solutions.

Sectigo

Sectigo

Sectigo is a leading cybersecurity provider of digital identity solutions, including TLS / SSL certificates, DevOps, IoT, and enterprise-grade PKI management, as well as multi-layered web security.

NFIR

NFIR

NFIR is a specialist in the field of cyber security incident response and digital forensics.

Zero Networks

Zero Networks

With Zero Network, you can achieve affordable, airtight network access security at scale.

Take Five

Take Five

Take Five is a national campaign offering straight-forward, impartial advice that helps prevent email, phone-based and online fraud – particularly where criminals impersonate trusted organisations.

AdEPT Technology Group

AdEPT Technology Group

AdEPT are a managed services and telecommunications provider offering award-winning, proven and uncomplicated technical solutions for over 12,000 organisations across the UK.

IMQ Group

IMQ Group

IMQ is one of Europe’s top players in the field of conformity assessment. We offer certification services to support all the major sectors of the manufacturing and service industries.

Cyberi

Cyberi

Cyberi provide specialist technical consultancy and cyber advisory services, from penetration testing and assurance to incident management and response, and technical security research.

Wadilona Cyber Securities

Wadilona Cyber Securities

Wadilona Cyber Securities' sole aim is to bring and secure Information and Communications Technology (ICT) to and work for humans in its simplest terms.

UK Cyber Cluster Collaboration (UKC3)

UK Cyber Cluster Collaboration (UKC3)

UKC3 has been launched to support Cyber Clusters and encourage greater collaboration across regions and nations of the UK.

Silent Circle

Silent Circle

Silent Circle is the leader in end-to-end enterprise solutions for secure mobile communications.

Inroad Technologies

Inroad Technologies

Inroad Technologies provide IT services that help keep your business computers, servers and networks secure and trouble-free.