The cyber security skills shortage: What skills are missing?
As the cyber security skills shortage deepens, what specific skills is the industry lacking and how can firms do more with increasingly tight budgets?
The cyber security skills shortage is evolving as technologies such as cloud and generative AI pose new challenges for businesses. As leaders work to safely implement new solutions and respond to an ever-changing threat landscape, the lack of cyber security professionals with knowledge of cloud infrastructure or vulnerability management continues to sting businesses.
The threat of a breach is growing, with 29 new ransomware groups having shown up in 2023 and the National Cyber Security Centre (NCSC) reporting a rise in high-level cyber incidents across the year. The NCSC reported a 64% rise in incidents considered serious enough for investigation by its incident management (IM) team.
Resolving the issue is a complex task. Businesses still feel the strain of the skills shortage, even as the global cyber security workforce grew by 9% to over 5.5 million people across 2023, according to the ISC2’s Cybersecurity Workforce Study. Across the same period, the skills gap also surged by 13%, with ISC2 estimating there are roughly 4 million cyber security professionals needed worldwide. “The profession needs to almost double to be at full capacity,” wrote ISC2.
The deficit spans multiple vectors, with the UK government’s Cyber Security Skills in the UK Labour Market report suggesting both soft and technical skills are needed to fill the gap. So what specific skills are lacking and how can firms do more as budgets continue to be squeezed?
Cyber security skills shortage: a worsening picture
There’s no doubt that big tech layoffs have created a skills deficit. According to the ISC2 study, 47% of cyber security professionals have dealt with cutbacks to their teams via layoffs, budget cuts, or promotion freezes.
This creates a “dire situation” for many organizations, says Chris Waynforth, general manager and VP, international business at Expel.
For growth industries such as cyber security, there is “simply not enough staff to meet current sector challenges”, says Kevin Curran, IEEE senior member and professor of cyber security at Ulster university. “Employers face difficulties in meeting the salary expectations of skilled professionals, balancing qualifications with practical experience, and retaining talent.”
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Discover how you can meet the performance needs of today’s hybrid employees
DOWNLOAD NOW
Cloud is just one area where security skills are lacking, as wider cloud skills shortages push developers to the brink. The problem could get worse before it gets better. In the future, it will be even more difficult to find workers with the necessary skills required to secure a cloud infrastructure, especially as the platform grows in complexity, Curran says. “Even now, it is hard to find cyber security staff with good experience in this area.”
The deficit spans fresh recruits to top-tier management, encompassing cyber security skills businesses need such as cloud security, threat intelligence analysis, incident response, network security, encryption, and vulnerability management, says Kunal Purohit, chief digital services officer, Tech Mahindra.
There are technical skills gaps too, in top programming languages such as Python, Java and C+ for example, says Purohit. Yet it’s not all about technical expertise – effective communication skills are a must in cyber security, says Purohit. “Cyber security professionals should be able to explain complex concepts in simple terms and provide guidance on best practices for maintaining security.”
Cyber security skills shortage: a jack-of-all-trades solution
In smaller businesses, there is a shortage of “jack of all trades” type candidates, says Lewis West, head of cyber security at recruitment provider Hamilton Barnes. “This is increasingly true as cyber-attacks become more niche and sophisticated, causing experts to focus on a specific discipline within the market.”
The shortage isn’t due to a lack of candidate interest, West says, but supply-demand imbalance. “While there are numerous candidates eager to break into the industry, entry-level opportunities are scarce. When you look at mid-level positions the opposite is true – there are plenty of positions but not enough people to do them.” Requiring a certain level of experience is holding some firms back, says Jamal Elmellas, COO, Focus on Security. “The ISC2 report showed this was prized over all other achievements – even [cyber security] degrees – and that most vacancies were looking for between two and six years.”
“We’re now seeing individuals dedicate time to investing in pathway initiatives only to find they cannot gain employment. It’s a chicken and egg situation because there aren’t the entry-level positions for them to go into.”
Diversity is one area that can help to boost a firm’s cyber security. A renewed focus on diversity, equity and inclusion (DEI) programs can help organizations recruit new talent and ensure that employees from every background feel “represented, valued and empowered,” says Waynforth.
One area of diversity being championed in cyber security to help fill the skills gap is neurodiversity, defined as alternative thinking styles such as dyslexia, dyspraxia, autism and ADHD.
Neurodiverse candidates can offer “significant value”, says West. “Those with autism or ADHD, for instance, often demonstrate an ability to remain hyper-focused. Blue teams are in particular need of talent who can identify anomalies, discover root causes of incidents, problem solve, sit through complex tasks for long periods of time, and take different approaches to solutions.”
Rob Demain, CEO of e2e-assure, explains how his company has implemented “a successful and highly-regarded” neurodiversity hiring initiative: “To date, 10% of the e2e-assure workforce identifies as neurodiverse, which is representative of the national population.”
Many businesses’ recruitment processes still fail neurodiverse candidates. Demain says firms need to adapt their recruitment to be more inclusive. “We’ve removed compulsory in-person interviews and have created open job descriptions that focus on individual skills. Training for staff members is also key to ensure people with diverse needs are properly supported and that different challenges and perspectives are taken into consideration.”
Cyber security skills shortage: remedies on a budget
At a time when margins are being squeezed and businesses are looking to reduce cyber security costs, filling the gap is often easier said than done. To approach cyber security on a budget, firms should be focused on building a security culture, says West.
This should include increasing awareness across the entire team and hiring the correct people. “Instil a security-first mindset across the whole workforce and make the area everyone’s responsibility. Simply training employees to become more aware of attackers’ methods is an effective way to reduce the number of successful cyber-attacks.”
The best online cyber security courses could be the start for any workforce. Leaders could also give employees examples of specific cyber security horror stories, provide more information on how hackers choose their targets and the most-targeted industries, as well as educate employees on specific threats such as business email compromise (BEC).
But like anything else, accept that cyber security skills must be learned. Establishing a strong foundation of security knowledge takes “time and resources”, says Quentyn Taylor, senior director of information security EMEA at Canon.
Firms should adopt a security pathway within their own business and grow talent internally rather than outsourcing Taylor says, noting this could be the best route for firms with high demands and a limited talent pool.
Taylor also advises investing in internship programs and other internal upskilling opportunities. It is also important to consider that the cyber security industry requires more than just information security skills, he says: “Core skills such as problem-solving, communication, and foundational IT expertise also have a key role to play in establishing well-rounded security teams”.
At the same time, having a positive attitude is crucial, says Taylor. “At Canon, we look for good communication skills, attention to detail, and a data-driven instinct.”
Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.