There is a virus infecting the cybersecurity industry. The number of breaches and the cost of cybercrime continues to skyrocket, there are millions of unfilled positions, and yet many would-be cybersecurity professionals are struggling to find a job.
Astonishingly there is much disagreement in the cybersecurity community about the reasons for this gap. For anyone hoping to gain employment in the not too distant future, or further a career, this is a somewhat important topic. So I decided to investigate.
The Scale of the Problem
Most media outlets quote 3.5 million unfilled positions globally. I wanted to confirm if this was an accurate representation of the number of available positions. So where did it come from? The original source is actually a prediction from four years ago.
This prediction (their word by the way) is from the jobs report released by Cybersecurity Ventures in May 2017, which you can read here. It is right there in big, bold letters in the opening sentence. This new prediction revised previous, lower forecasts. Media outlets and tech articles have been quoting this figure ever since.
For example, this New York Times article from November 2018 says “A stunning statistic is reverberating in cybersecurity.” This is one of the few articles that does cite Cybersecurity Ventures, but they do not mention that the report is eighteen months old.
How did Cybersecurity Ventures arrive at this prediction you may ask? Communication is the key. They spoke to people, a whole host of cybersecurity professionals, and they looked at research. Sneakily, they spoke to people and more importantly, listened to what they had to say. There were surveys being conducted at the time arriving at quite different figures, but I guess they forgot to speak to people. Or rather, maybe they weren’t listening, but then 3.5 million unfilled positions is an enormous figure to take in.
In looking for corroborating articles and studies, I found a surprising number from the past 12 months that quote predictions more than 3 years old as if they are actual figures of the day. There was at least one article released on Monday that quoted the 3.5 million estimate from 2017 as if it had just been announced. The attention-grabbing figure permeated well beyond the cybersecurity industry becoming less a prediction, often quoted as fact.
Even in a relatively recent article from PWC about how to Future-proof your security team, they quote the “most recent studies”, in a point about the lack of candidates to fill the needed positions. This is linked to a Security Magazine article from June last year, which cites research released by Emsi. There is a link to the research and you can download the pdf. This research paper in turn quotes the (ISC)2 Cybersecurity Workforce Study 2019, which gathered the data for its study between April and June of that year.
So what have we learned? The PWC article refers to 2-year old data as the “most recent studies”. In an industry where research is a key skill. There’s more…
Again from the same PWC article, the 3.5 million figure is quoted. This time the link is to Cybersecurity Ventures 2019/2020 jobs report. Now this you’ve got to love. In the 2019/20 jobs report, Cybersecurity Ventures quote the very New York Times article, which quotes their own prediction from 2017! They point out that their prediction has been corroborated many times from almost every kind of outlet.
I would humbly suggest that there’s a difference between corroborating and regurgitating. However, the report then mentions a couple more articles that cite their 2017 prediction, one of which is the Harvard Business Review. So I guess that makes them right. Either way, they “stand firmly behind the two-and-a-half-year-old prediction.” They probably spoke to some more people.
Cybersecurity Ventures made the point that (ISC)2 figures had now aligned with their own, having had quite different estimates back in 2017. It may or may not be relevant that in an article on their 2017 jobs report titled “Jobs Report Vs Survey”, Cybersecurity Ventures went to some pains to suggest that the estimate of 1.8 million from (ISC)2 was not in opposition to their own estimate, but rather was a subset of the 3.5 million prediction for 2021.
So in 2017, the (ISC)2 estimated figures were a subset of the 3.5 million, but in 2019, their estimate of the shortfall for 2021 was roughly the same as Cybersecurity Ventures. In fact the 2019 Cybersecurity Workforce Study estimated a workforce shortage of 4 million.
So the question remains how accurate was the 3.5 million prediction? It may be that the report was spot on, and 4 years later we do indeed have 3.5 million unfilled positions. There have been some major changes in that time though and nobody (apart from Bill Gates) could have foreseen a global pandemic forcing massive changes to the way we work, increasing the pressure on cybersecurity teams.
The (ISC)2 Cybersecurity Workforce Study 2020 released last November, based on data collected between April and June found that the jobs of up to 41% of respondents was affected by COVID-19 with reduced hours, reduced salary or being laid off. They report on the “Workforce Gap” by the way, defined to be the difference between the estimated number of professionals required by organisations and the number employed in cybersecurity. It is not an estimate of vacancies.
Their estimate is that the gap had narrowed by approximately 900,000 to 3.1 million worldwide in 2020 with over 2 million of those in the Asia-Pacific region. The reason for the gap reducing was due to a perceived lower average headcount demand by the respondents, due to the pandemic. However the data was collected soon after the start of the pandemic; cybercriminals hadn’t begun to take advantage of the increased attack surface and budgets were being hit.
To obtain an estimate of the current global workforce shortage, we can look at the U.S. estimates made by (ISC)2 from their 2019 and 2020 studies and compare that to the size of the current workforce from Cyberseek.
| Year | US Workforce | US Workforce Gap | Global Workforce Gap |
| 2019 | 804,700 | ~500,000 | ~4.07 Million |
| 2020 | 879,157 | 359,236 | ~3.12 Million |
| 2021 | 956,341 | 464,420 | ? |
From this you can estimate that when (ISC)2 release their 2021 Cybersecurity Workforce Study, with figures being collected now if they stick to the same time frame as previous years, we will be seeing the global cybersecurity workforce gap getting wider. It might just be 3.5 Million.
Unfilled Positions
Whatever the actual number, there are a lot of vacancies not getting filled. One of the reasons given most often is a lack of skills. There are two sides to this. One is that a large percentage of vacancies are for senior positions, but against a backdrop of 0% unemployment and high salaries, they fail to attract talented professionals, and hiring managers are seemingly happy to let the positions go unfilled rather than recruit someone who doesn’t currently possess the specific skillset.
The other side is the large number of students looking for an entry level role. The lack of skills referred to in this case is commonly a lack of hands-on experience. Among the requirements are often 3+ years of experience in an IT role, not to mention those entry level roles requesting the CISSP certification. Otherwise ideal candidates are overlooked when they can’t get past the HR filter.
According to the Emsi report “Build (Don’t Buy)” from July last year, among the skills most in demand are SIEM, Intrusion detection and prevention, and penetration testing. These are certainly among the skills that cybersecurity students are studying and practicing.
In webinars discussing this topic, I have often heard the advice “find your niche”, but based on this study, it is those core skills that employers really need. The challenge for prospective candidates is gaining real, hands-on skills to overcome the experience barrier that many hiring managers feel is a must-have.
It is this point that is often debated, with terms like “gatekeeper” and “talent shortage” sent back and forth.
Closing the Gap
The shortage has been there since cybersecurity became an industry and it is hard to find two people who agree on how to fix it.
Cybersecurity professionals need time to train in order to start to fill the more senior, more specialised roles. This is easier said than done when working over 100% capacity just to keep afloat because the team is understaffed.
The Emsi, Build (Don’t Buy) report suggests re-skilling existing employees from other areas of the business, and implementing something called a “Capability Academy” to help nurture existing employees in to cybersecurity roles and increase the skills and knowledge of employees already in the role.
Another possible solution is for hiring managers to recruit from more diverse backgrounds and I think more are coming round to this way of thinking. There is a loud and lively movement pushing this agenda for the benefit of all.
Conclusions
Here is a list of 10 solutions amongst the most commonly put forward to address the gap:
- Career professionals should focus on the right certs
- Career professionals should focus on web application and cloud security
- Employers should pay a lower salary, but offer training
- Offer a higher salary to attract the right candidates
- Hire from more diverse backgrounds
- More investment in high schools
- Organisations need to think more creatively and aim lower with outside talent while cultivating inside talent
- Gain volunteer experience
- Start a blog (tick!)
- Companies need to revaluate their hiring strategy
What can be concluded from such a wide variety of suggestions is that we have not yet found appropriate mitigation techniques for this threat, but it will likely be a multi-vector approach. One thing you can count on, is that as long as the gap remains, the cost of cybercrime will continue to grow.
Securing the Cyber World 