A dwindling talent pool is forcing many businesses to compete in earnest for cybersecurity personnel but what many don’t realise is that they can expect demand to increase over the next few years.
The Department for Culture, Media and Sport (DCMS) previously predicted that there would be an annual shortfall of 10,000 new entrants but in May of this year that was revised to 14,100. This will be cumulative, meaning the gap will widen over the coming years and such shortages don’t just mean jobs stay unfilled – they have a very real impact on the ability of the business to stay secure.
Understaffed and overexposed
In the ‘Global Cybersecurity Outlook 2022’ report, The World Economic Forum (WEF) revealed that almost 60 percent would “find it challenging to respond to a cybersecurity incident owing to the shortage of skills within their team” and the ISACA State of Cybersecurity 2022 report found 73 percent regarded their business as significantly understaffed. The ISC(2) Cybersecurity Workforce Study has revealed that these staff shortages are leading to misconfigured systems, were slowing system patching, and were resulting in lack of oversight, insufficient risk assessment, lack of threat awareness and rushed deployments.
Worryingly, the WEF also found that business executives were less concerned about the shortfall than those within the security department, which means there is probably very little appreciation that the security stature will gradually become more eroded over time.
It's a situation further exacerbated by the short time many cybersecurity personnel spend in their positions. For the past decade the average time a Chief Information Security Officer (CISO) stays in a post has been just two years, according to Verizon’s Payment Security Report, meaning that 35% of CISOs at any one time were new to the job. This then tends to hobble security plans which typically span five to ten years.
Holes in the security continuum
So where can we expect the holes to appear? Certain roles are certainly proving harder to recruit than others. The DCMS found the highest demand was for security engineers (35%) followed by security analysts (18%), security managers (14%), security architects (11%) and security consultants (9%).
Fortinet’s 2022 Cybersecurity Skills Gap report, which takes a global view, found demand was highest for cloud security specialists, SOC Analysts and Security Administrators and Security Architects while the ISACA report found the top five security skills were in cloud computing, data protection, Identity Access Management, Incident Response and DevSecOps.
To make matters worse, it’s also proving hard to keep hold of talented staff with 60% of businesses revealing in the ISACA survey they’ve had staff poached by rivals. Staff leaving have also cited poor renumeration, limited job progression or promotion opportunities, high stress levels and a lack of support and the reasons for their resignation. The DCMS report claims 11 percent of the cyber workforce have left since 2020 (of which 9 percent chose to do so) which is almost double the number anticipated. But it’s here where there’s a glimmer of hope. Address these issues, and businesses will find it easier to both attract and retain talent.
What can businesses do?
There’s obviously a ceiling when it comes to how much businesses can afford to pay but they can make their workplace a more attractive one by being transparent about both pay structures and career progression. The cybersecurity sector is notorious for its convoluted career paths, so much so that the UK Cyber Security Council has developed career maps to help resolve this issue and is intent on producing detailed pathways to show how professionals can progress through 16 specific careers by 2025. So businesses that provide this level of detail will be perceived as more committed to their staff.
Stress levels are another major issue with 45% considering quitting the industry entirely due to this factor, according to the Voice of SecOps report. Again, businesses can reassure candidates by being open and honest about the mental wellbeing support they offer and their planned investment in automation to do the heavy lifting. On-the-job support in the form of mentoring is also hugely beneficial but again there needs to be a clear overview of how this will be provided, from timetabling time with the mentor to the level of training on offer.
All too often, training is left off the job specification or assumed when in fact it can be viewed as a big plus by the candidate, and there’s a very real danger of it being culled as businesses make cutbacks. Only 62% of businesses have employees with or working towards a cyber-security related qualification or certified training and only 21% provided their cyber security staff with training relevant to their role over the last year, according to the DCMS.
Extra resource
But there’s also no getting away from the fact that it’s going to take time for new entrants to emerge and this means businesses will need to think laterally. Many are now looking to recruit from within the business, by upskilling existing employees. The DCMS report found 85% fulfilling cyber roles had transitioned from a non-cyber role and even in cyber security businesses, 27% were recruited or joined from a non-cyber role.
Businesses are also diversifying and increasing their intake of neuro diverse, ethnic minorities and women. The UK Cyber Security Council estimates that 17% of cyber professionals are now from ethnic minority backgrounds and 9% are neurodiverse while a Microsoft survey reveals 18% are women, suggesting there’s a pool of untapped talent. However, another DCMS report – Understanding the Cyber Security Recruitment Pool – reveals that many of these potential candidates are being screened out too early in the process due to an overemphasis on additional qualifications, so there’s a real need to reappraise job specifications and to focus not just on technical skills but also soft skills.
We’re in for a tough few years ahead due to inflation, shrinking budgets and a growing skills gap which means businesses must begin to think now about what they can do. If they don’t, they’ll almost certainly find their systems become more exposed and susceptible to attack due to a shortage of security personnel.