The Cybersecurity Skills Gap Is Not Just A Numbers Game

Uploaded on 2024-01-15 in NEWS-Cybersecurity News, JOBS-Training, FREE TO VIEW

The cybersecurity skills gap has created an urgency, with governments globally looking to boost the workforce by attracting new entrants not just out of university but from all walks of life.

In the US, the White House unveiled its National Cyber Workforce and Education Strategy (NCWES) in July aimed at making it easier for citizens to enrol and qualify for a career in cyber security while in the UK the National Cyber Strategy sets out goals under Pillar 1, Objective 2 with training initiatives and recruitment from underrepresented groups.

It's clear to see why recruitment in the sector has become a national priority. The latest ISC2 Cybersecurity Workforce Study reveals that globally the workforce has increased 9% over the past year but the gap is growing faster, at 13% with 4 million vacancies, and that means that year-on-year we can expect it to become harder to fill those gaps.

But, crucially, it’s not just a shortage of workers that is causing the problem but a skills gap which means a mass recruitment drive is unlikely to provide an effective solution.

There’s a big difference between the two, with 67% reporting a workforce shortage versus 97% a skills gap, and the latter is much more critical. Over half of those questioned in the ISC2 survey (58%) said they could mitigate workforce shortages if they had sufficient skills across the rest of the team. This is no doubt due to the fact that automation is helping to ease workloads whereas there is substitution for skills, with those in short supply including cloud computing security (35%), artificial intelligence and machine learning (32%) and Zero Trust (29%). 

Experience Over Aptitude

It's this need for specific experience that is seeing the gap widen. The government’s Cyber security skills in the UK labour market 2023 found a third of jobs require a minimum of two to three years’ experience and 28% between four to six years’. Experience is rated above all else by prospective employers, according to the ISC2 report, effectively holding those vacancies open for longer. Plus hiring practices are proving hard to change, with only 51% changing their recruitment criteria to hire from non-security backgrounds.

Fundamentally, we have to focus training on those core skill areas that are the most in demand.

Organisations need to look to offer new recruits external professional development or the opportunity to study third-party certifications in these areas. Yet we’re seeing less not more training, with cost cutting measures seeing staff denied opportunities or being expected to meet the cost themselves. 

The ISACA State of Cybersecurity 2023 report reveals a drop of four percentage points to 28% with respect to employers reimbursing university tuition fees as well as a marginal drop in those paying certification fees. But even more stark is the contrast between those paying the initial fees (65%) versus those paying for the maintenance or renewal of those certifications (55%), which means cybersecurity professionals are consistently expected to pick up the tab on maintaining their qualifications at a time when the cost of living is rising.

Short Term Gains, Long Term Losses

Cutbacks are also exacerbating the skills gap. Those organisations that had laid off staff, for instance, were much more likely to be impacted by a significant skills gap in one or more areas, with 51% found to be in this position compared to 39% who did not lay off staff. In fact, reducing headcount was found to have a more detrimental effect on the skills gap than workforce shortages, perhaps due to morale and confidence in the business to support staff. 

This brings us on to the second biggest driver of the skills gap after sourcing people with the necessary skills: retaining talent.

Low wages, lack of promotion opportunities, and poor job development can all lead to higher attrition rates, making it much harder to keep hold of valuable staff. At organisations that did not offer a competitive salary, for instance, 58% of cybersecurity workers said there were skills gaps compared to 38% of those working at organisations where wages were competitive. 

What these figures all reveal is that solving the skills crisis is not just a numbers game. Attracting more recruits is all well and good but those doing the hiring also need to change their mindset and be more open to recruiting based on potential, not just experience, and from non-security backgrounds.

Training has to be focused on core skillsets which can add value rather than generic disciplines so that the security team can be lean but effective.

And investment in people needs to be sustained to help keep those skillsets relevant, reassure staff that their development is important to the organisation to encourage them to stay, and to avoid saddling staff with their own development costs which could harm the sector as a whole.

Jamal Elmellas is COO of Focus-on-Security

Image: Windows

You Might Also Read: 

Bridging The Cybersecurity Skills Gap With Efficiency:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Might AI Influence Big Elections In 2024?
Enormous Leak - Brazil’s Population Data Exposed »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Malwarebytes

Malwarebytes

Malwarebytes provides artificial intelligence-powered technology that stops cyberattacks before they can compromise computers and endpoints.

TestingXperts

TestingXperts

TestingXperts is a specialist software QA and testing company.

CyberPolicy

CyberPolicy

CyberPolicy is a cyber protection solution for small businesses. It combines three important components against cyber threats - Cyber Plan, Cybersecurity and Cyber Insurance.

Arete

Arete

Arete is a global cyber risk company whose mission is to transform the way organizations prepare for, respond to, and prevent cybercrime.

SOCOTEC Certification International

SOCOTEC Certification International

SOCOTEC Certification International has been providing management systems assessment and accredited ISO certification services to organisations around the world since 1995.

Cutting Edge Technologies (CE Tech)

Cutting Edge Technologies (CE Tech)

CE Tech is a Next Generation Technology Partner providing advanced technology infrastructure solutions through partnerships with leading technology providers.

Ministry of Information and Communications (MIC) - Vietnam

Ministry of Information and Communications (MIC) - Vietnam

The Ministry of Information & Communications of Vietnam is the policy making and regulatory body in the field of information technology and national information and and communication infrastructure.

Viria

Viria

Viria is an information and security technology solution provider that promotes digitalization in a secure way.

Crowe

Crowe

Crowe is a public accounting, consulting, and technology firm that combines deep industry and specialized expertise with innovation.

Finesse Global

Finesse Global

Finesse is a global system integration and digital business transformation company.

ResilientX

ResilientX

ResilientX is an All-In-One Security Testing Platform designed to help MSPs and SMBs to perform their security testing and assessments without having to outsource IT.

KnoTra Global

KnoTra Global

KnoTra Global is a next-generation Managed Service provider with a portfolio of services including Cybersecurity Solutions, Network Management, IT Leadership, and Day-to-Day Helpdesk and IT services.

Security Awareness Special Interest Group (SASIG)

Security Awareness Special Interest Group (SASIG)

The Security Awareness Special Interest Group (SASIG) addresses the human aspects of security and fraud prevention in an initiative to improve trust and confidence in the online environment.

Loccus AI

Loccus AI

Loccus are developers of AI solutions in the voice safety space. We build identity verification solutions, deepfake detection systems and fraud protection products for companies and end-users.

System Two Security

System Two Security

System Two Security automates detection engineering and threat hunting.

Hive Systems

Hive Systems

Hive Systems specialize in tailored solutions that unify risk assessments, IT, security awareness, and cybersecurity operations for businesses of all sizes.