The cybersecurity sector is experiencing an unprecedented skills shortage and the bad news is that it is set to get worse. According to recent figures from the Department for Media, Culture and Sport (DCMS), there is an annual deficit of 14,000 entering the market which will lead to cumulative shortages. It is a situation further exacerbated by the Great Resignation which is seeing an exodus from the industry due to high stress levels and burn out rates, with more than a third tempted to quit their jobs.
There is particular demand for those in middle management or senior roles with three years of experience or more, according to the DCMS report, which is likely to cause problems for businesses over the next few years while new entrants hone their craft.
The skills in short supply
In terms of skillsets, penetration testing was the scarcest although this was also the least likely role to be advertised as it is typically outsourced. This was followed by GRC practitioners and security architects in joint second place with security operations (ie intrusion detection) coming third.
Anecdotally, the report noted that there are perceived to be real shortages in cloud security roles, DevSecOps and Security Architecture, presumably because these all incorporate new nascent technology (with strategies such as Zero Trust driving demand for the latter). But there is also evidence to support this, with Fortinet’s 2022 Cybersecurity Skills Gap report finding that half of organisations globally are looking for cloud security specialists, 42 percent SOC Analysts and Security Administrators and 40 percent Security Architects. Those figures are broadly corroborated by the ISACA State of Cybersecurity 2022 report which found the top five security skills in demand today are cloud computing, data protection, Identity Access Management, Incident Response and DevSecOps.
Competition for candidates
What this all indicates is that businesses can expect intense competition when it comes to hiring new talent. But they are also likely to struggle to keep hold of skilled personnel, with the ISACA survey finding that 60 percent of businesses had staff poached by rivals last year.
This is leading some organisations to take desperate measures. We are already seeing catch-all job postings, for example, with multiple unrelated skillsets covered in one role in a bid to deal with the issue. However, this simply results in unfillable positions. More than 4 in 10 posts were described as hard to fill during 2020, according to the DCMS.
So how can businesses tackle the skills gap, particularly with regard to the most in demand skillsets? According to the ISC(2) Cyber security Workforce Study 2022, the top investments being made to address the gap are training (36 percent), flexible working conditions (33 percent), certifications (31 percent) and Diversity, Equality and Inclusion (DE&I) initiatives (29 percent).
First and foremost, therefore, employers need to seek to upskill their existing resource and to prioritise training. This demonstrates a commitment to staff and career progression, but it can also enable the business to transfer workers from non-cyber roles into the profession, with the DCMS report noting that 46 percent of those within the cyber sector were previously not in cyber roles.
However, the DCMS found only 62 percent have employees with or working towards a cyber-security related qualification or certified training and only 21 percent had their cyber security staff undertake training relevant to their role over the course of the past year. Training is also underappreciated or undersold by employers despite being seen as a strong selling point in job specifications by prospective employees.
In terms of the focus of that professional development, 40 percent were focused on Cloud security, 26 percent on risk assessment, analysis and management, 25 percent on AI and Machine Learning, closely followed by GRC, Threat Intelligence Analysis, DevSecOps and Security Engineering, according to the ISC(2). Certifications also continue to be seen as highly desirable, with the same survey finding the most commonly held is the CISSP (Certified Information Systems Security Professional), but the one currently being pursued the most is the CCSP (Certified Cloud Security Professional).
Mentoring is also hugely important and when it comes to taking on newly qualified entrants providing them with the opportunity to safely reverse engineer and reconstruct and fix systems can be a huge benefit with some employers even providing their own labs.
Technology as an enabler
Secondly, investment in automation should be a priority as this reduces stress and increases work satisfaction thereby improving retention rates. The ISC(2) survey found respondees intend to invest more by using cloud service providers to augment their security (38 percent), to use AI and ML to automate manual cybersecurity tasks and existing processes (32 percent) and to assist with solution selection criteria (35 percent).
Finally, organisations need to rethink their hiring practices. Currently many businesses tend to have a strict hierarchy that sees the hiring team handover to HR who then liaise with the recruitment agent. HR teams can provide real insight by helping the team explore apprenticeships, for example, but equally they can lack the insight needed to recruit the necessary skillsets. Or sometimes the skillsets dominate completely with no consideration given to the type of person the hirer is looking for.
Increasingly non-technical skills are becoming as important as technical ones. This holds true for senior management, where the CISO is increasingly responsible for communicating and justifying security decisions, to new entrants, who can then demonstrate their aptitude for the job through critical thinking and problem solving. So being able to assess these skillsets is crucial as the sector moves forward.
Formal career pathways
The sector also stands to benefit from more structured career pathways that will help focus and hone skills in these specific areas. A new government initiative – the Career Pathways Framework – aims to help identify the certifications and experience required to progress within specialist fields and may well also see the establishment of a Register of Practitioners, similar to that seen the medical and legal professions, to recognise the achievements of ethical, suitably qualified or senior professionals.
In the meantime, the next three to five years will prove crucial for the cyber security sector. Businesses cannot afford to do nothing and need to explore ways to both improve retention and expand their recruitment drives in order to remain secure.
Jamal Elemellas is Chief Operating Officer at Focus on Security, the cyber security recruitment agency, where he is responsible for delivering an effective and efficient selection and recruitment service. He has specific expertise in and is adept at designing and delivering secure, scalable and functional ICT services. Jamal has over 19 years' experience in the field and is an ex CLAS consultant, Cisco and Checkpoint certified practitioner.