The Cybersecurity Skills Gap Is Not Just A Numbers Game

The cybersecurity skills gap has created an urgency, with governments globally looking to boost the workforce by attracting new entrants not just out of university but from all walks of life.

In the US, the White House unveiled its National Cyber Workforce and Education Strategy (NCWES) in July aimed at making it easier for citizens to enrol and qualify for a career in cyber security while in the UK the National Cyber Strategy sets out goals under Pillar 1, Objective 2 with training initiatives and recruitment from underrepresented groups.

It's clear to see why recruitment in the sector has become a national priority. The latest ISC2 Cybersecurity Workforce Study reveals that globally the workforce has increased 9% over the past year but the gap is growing faster, at 13% with 4 million vacancies, and that means that year-on-year we can expect it to become harder to fill those gaps.

But, crucially, it’s not just a shortage of workers that is causing the problem but a skills gap which means a mass recruitment drive is unlikely to provide an effective solution.

There’s a big difference between the two, with 67% reporting a workforce shortage versus 97% a skills gap, and the latter is much more critical. Over half of those questioned in the ISC2 survey (58%) said they could mitigate workforce shortages if they had sufficient skills across the rest of the team. This is no doubt due to the fact that automation is helping to ease workloads whereas there is substitution for skills, with those in short supply including cloud computing security (35%), artificial intelligence and machine learning (32%) and Zero Trust (29%). 

Experience Over Aptitude

It's this need for specific experience that is seeing the gap widen. The government’s Cyber security skills in the UK labour market 2023 found a third of jobs require a minimum of two to three years’ experience and 28% between four to six years’. Experience is rated above all else by prospective employers, according to the ISC2 report, effectively holding those vacancies open for longer. Plus hiring practices are proving hard to change, with only 51% changing their recruitment criteria to hire from non-security backgrounds.

Fundamentally, we have to focus training on those core skill areas that are the most in demand.

Organisations need to look to offer new recruits external professional development or the opportunity to study third-party certifications in these areas. Yet we’re seeing less not more training, with cost cutting measures seeing staff denied opportunities or being expected to meet the cost themselves. 

The ISACA State of Cybersecurity 2023 report reveals a drop of four percentage points to 28% with respect to employers reimbursing university tuition fees as well as a marginal drop in those paying certification fees. But even more stark is the contrast between those paying the initial fees (65%) versus those paying for the maintenance or renewal of those certifications (55%), which means cybersecurity professionals are consistently expected to pick up the tab on maintaining their qualifications at a time when the cost of living is rising.

Short Term Gains, Long Term Losses

Cutbacks are also exacerbating the skills gap. Those organisations that had laid off staff, for instance, were much more likely to be impacted by a significant skills gap in one or more areas, with 51% found to be in this position compared to 39% who did not lay off staff. In fact, reducing headcount was found to have a more detrimental effect on the skills gap than workforce shortages, perhaps due to morale and confidence in the business to support staff. 

This brings us on to the second biggest driver of the skills gap after sourcing people with the necessary skills: retaining talent.

Low wages, lack of promotion opportunities, and poor job development can all lead to higher attrition rates, making it much harder to keep hold of valuable staff. At organisations that did not offer a competitive salary, for instance, 58% of cybersecurity workers said there were skills gaps compared to 38% of those working at organisations where wages were competitive. 

What these figures all reveal is that solving the skills crisis is not just a numbers game. Attracting more recruits is all well and good but those doing the hiring also need to change their mindset and be more open to recruiting based on potential, not just experience, and from non-security backgrounds.

Training has to be focused on core skillsets which can add value rather than generic disciplines so that the security team can be lean but effective.

And investment in people needs to be sustained to help keep those skillsets relevant, reassure staff that their development is important to the organisation to encourage them to stay, and to avoid saddling staff with their own development costs which could harm the sector as a whole.

Jamal Elmellas is COO of Focus-on-Security

Image: Windows

You Might Also Read: 

Bridging The Cybersecurity Skills Gap With Efficiency:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Might AI Influence Big Elections In 2024?
Enormous Leak - Brazil’s Population Data Exposed »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Tripwire

Tripwire

Tripwire are a leading provider of risk-based security, compliance and vulnerability management solutions.

Cloud Security Alliance (CSA)

Cloud Security Alliance (CSA)

The CSA is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing

Kuratorium Sicheres Österreich (KSO)

Kuratorium Sicheres Österreich (KSO)

KSO is an independent non-profit association that has set itself the goal of making Austria safer as a national networking and information platform for topics of internal security.

C2A Security

C2A Security

C2A Security offers a comprehensive suite of cyber security solutions for the automotive industry, providing in-vehicle end-to-end protection.

CloudOak

CloudOak

CloudOak is a cloud channel provider for hybrid cloud Backup as a Service (BaaS), Disaster Recovery as a Service (DRaaS) and Archiving to Small to Medium Business (SMB).

Ampliphae

Ampliphae

Ampliphae gives you an easy-to-deploy, sophisticated and affordable cloud-discovery, security and compliance platform.

ISTC Foundation

ISTC Foundation

ISTC Foundation is one of the leading innovation centers in Armenia, founded by joint initiative of IBM, USAID, Armenian Government and Enterprise Incubator Foundation.

Digital Craftsmen Ltd

Digital Craftsmen Ltd

We're ISO27001 & Cyber Essentials Cybersecurity experts, delivering full cloud security and managed services. We take a bespoke approach for each client from hosting, optimising & securing them online

Exceed Cybersecurity & I.T. Services

Exceed Cybersecurity & I.T. Services

Exceed Cybersecurity & I.T. Services is a premier Managed Internet Technology (I.T.) company with a focus in cybersecurity risk management and CMMC compliance management.

Progress Partners

Progress Partners

Progress Partners is a corporate advisory firm that works with buyers and sellers of emerging growth companies to complete M&A or private placement transactions. Our sectors include cybersecurity.

Ethiopian Cybersecurity Association (ECySA)

Ethiopian Cybersecurity Association (ECySA)

ECySA was formed to play an influential part in the ongoing and dawning cybersecurity practices of Ethiopia, efficiently creating public and private awareness on all kinds of cyber risks and threats.

Black Girls In Cyber (BGiC)

Black Girls In Cyber (BGiC)

Black Girls In Cyber's mission is to increase industry awareness and diversity in cybersecurity, privacy, and STEM for women of color.

Infinavate

Infinavate

Infinavate Fort CyberVault offers end-to-end services that comprehensively responds to the organization’s information security and privacy needs.

White Knight Labs

White Knight Labs

White Knight Labs is a cyber security consultancy that specializes in cybersecurity training.

Amtivo Ireland

Amtivo Ireland

Amtivo Ireland (formerly Certification Europe and EQA) offers a range of certifications and related services.

AUCyber

AUCyber

AUCyber is a leading provider of managed cyber security solutions and consultancy services, specialising in supporting Australian organisations and Government agencies.