How to Navigate the Cybersecurity Workforce Shortage

by

Cybersecurity stats are in for 2023, and the numbers aren’t pretty. Ransomware attacks are up by 95 percent over 2022, according to the latest analysis by Corvus, a cyber risk insurer. With the inevitable rise in attacks coming in election year 2024, it’s enough to make any size company wonder “should I hire a cybersecurity expert?”  

It’s a question being asked in every industry sector, and many hiring efforts are simply coming up empty-handed. The pool of available, certified cybersecurity talent simply isn’t keeping up with demand. While the hiring landscape is bleak, it’s not impossible. There’s a lot a company can do to improve its chances of developing, attracting, and retaining top cybersecurity talent.  

Let’s take a look at how we got to this point in the cybersecurity workforce shortage, and some of the most effective solutions tech recruiters have found for addressing the problem. 

Why is there such a high demand for Cybersecurity Professionals?

According to Cybersecurity Ventures, the global cybersecurity workforce shortage is expected to reach 3.5 million unfilled positions by 2025. But why is that? It factors down to two key things: money (or lack there of) and the availability of experienced cybersecurity workers to fill vacancies. 

As cyber threats evolve in complexity and severity, organizations of all sizes find themselves grappling with the urgent need for cybersecurity professionals. The realization that a single breach can wreak havoc—resulting in data breaches, financial losses, and reputational damage—intensifies the pressure on organizations to fortify their defenses. 

Years ago, cybersecurity experts were a luxury hire usually found only in large, enterprise-level organizations. But now, cybersecurity experts are prized by corporate IT departments, the government, consulting firms, Silicon valley, and MSPs as a start. Additionally, the barrier to entry for the field is high, as CISSP and other cybersecurity certifications are difficult, time intensive, and expensive to get.

It’s no surprise, then, that qualified cybersecurity talent commands top dollar. A recent check on Talent.com said the average cybersecurity worker in the U.S. made around $120K a year.  If you’re looking to hire or staff a department, things get expensive very quickly…if you can even find people to fill the positions. 

The Skills Gap in Cybersecurity: Demand Consistently Outpaces Supply

The 2023 Cybersecurity Workforce Study by (ISC)² says  that the industry skill gap has increased by an additional 13% from last year, with the demand for skilled professionals consistently outpacing the supply. The need for workers just can’t keep up with pace of the threats being launched by attackers day after day. 

The workforce is trying to catch up but the process isn’t without its hurdles. Many prospective candidates are in the process of acquiring the skills and expertise necessary to effectively counter contemporary cyber threats but that takes time. Given the ever-evolving nature of cybersecurity, staying abreast of the latest developments is a perpetual challenge, compelling cybersecurity professionals to continuously adapt to emerging threats.  

The Complexity of Cyber Threats: Professionals Can’t Learn Fast Enough to Match Pace 

Cyber threats have morphed into intricate and diverse forms, with attackers employing sophisticated tactics to infiltrate networks, pilfer data, and disrupt operations. This complexity necessitates a higher level of expertise and specialization among cybersecurity professionals. Consequently, organizations seek individuals with specialized skills in penetration testing, threat analysis, and incident response. 

Certification and Education Requirements are Time Consuming 

Many cybersecurity roles mandate specific certifications and educational backgrounds. Certifications such as Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH) often serve as prerequisites for specific positions. However, these requirements may limit the pool of qualified candidates, as not all may have the resources or time to obtain such certifications. 

Competition for Talent 

Intense competition for cybersecurity talent prevails among companies, government agencies, and various entities, all vying for the same skilled professionals. This competition poses a challenge for smaller organizations or those with limited resources, making it arduous to attract and retain top-tier talent.  

The Cost of Hiring Cybersecurity Professionals 

The acquisition of cybersecurity talent comes at a price. Salaries for seasoned cybersecurity experts are often steep, reflecting the high demand for their skills. Additionally, recruitment efforts, encompassing job postings, interviews, and background checks, incur significant costs. Thus, organizations must be prepared to invest substantially in cybersecurity talent to ensure the effective protection of their digital assets.  

Lack of Diversity in Cybersecurity 

Historically, the field of cybersecurity has grappled with a lack of diversity. Recognizing this, ongoing efforts are underway to increase diversity and inclusion. A diverse workforce contributes varied perspectives and problem-solving approaches, ultimately enhancing an organization’s overall cybersecurity resilience. However, achieving diversity requires time and a concerted effort from the industry. 

Rapid Technological Change 

Cybersecurity professionals must navigate the swift evolution of technology and threats. This demands ongoing training, learning, and professional development to adapt to new technologies and vulnerabilities. The continuous need for adaptation contributes to the demand for more qualified candidates. 

 Security Clearance Requirements

In certain sectors like government and defense, security clearance is a prerequisite for many cybersecurity roles. Navigating the complexities of obtaining and maintaining security clearances can be time-consuming, limiting the pool of eligible candidates for these roles. 

Geographical Variations in Talent Availability

The availability of cybersecurity talent varies significantly by location. While some regions boast abundant talent pools due to the presence of tech hubs and universities, others may struggle to find qualified candidates. Organizations in regions with limited access to cybersecurity talent may need to explore remote work options or employ creative recruitment strategies to bridge the gap. 

What are solutions to the cybersecurity talent shortage?

Getting more talent is about more than just paying well and pushing out job openings. A more strategic approach is required. Here are some of our top suggestions for a more holistic approach to the cybersecurity talent shortage. 

1. Invest in Training and Development: Cultivating Expertise Internally 

Your best source of talent is often the IT department you’re already employing. Many employees would jump at the chance to up their pay and marketability, particularly if the company is willing to pay for their certification process. We do this here at Integris, and so far it’s helped us double our staff of qualified vCISOs.   

Immersive training, specialized tracks, certification support, and continuous learning platforms can go a long way to help employees get their certifications.  Internal mentorship fosters knowledge transfer, positioning the organization as a proactive hub for cybersecurity talent development.  

 2. Competitive Compensation Packages: Attracting and Retaining Top Talent

 Organizations must strategically design competitive compensation packages to attract and retain elite cybersecurity professionals, and that tends to be on a sliding scale based on experience and the cost of living in the area where you’re hiring. Here’s a look at some of the recent pay scales for cybersecurity experts, according to payscale.com 

Beyond competitive salaries, incorporating performance-based bonuses, comprehensive benefits, professional development allowances, and recognition programs ensures a holistic approach. Supporting work-life balance initiatives, employee stock options, and incentives further strengthens an organization’s appeal. This comprehensive compensation strategy positions the organization as an attractive employer in the competitive cybersecurity landscape. 

3. Collaborate with Educational Institutions: Shaping Future Cybersecurity Talent

Forge strong collaborations with educational institutions to shape the future cybersecurity workforce. Engage in curriculum development, offer real-world insights through guest lectures, establish internship programs, and sponsor cybersecurity initiatives. Providing scholarships, supporting cybersecurity competitions, and participating in job fairs cultivate a pipeline of skilled talent. This strategic partnership ensures that academic programs align with industry needs, creating a well-prepared and diverse cybersecurity workforce. 

4. Diversity and Inclusion Initiatives: Inclusive Cybersecurity Environment

Implement robust diversity and inclusion initiatives to create an inclusive cybersecurity environment. Employ inclusive recruitment practices, provide cultural competency training, establish mentorship programs, and form employee resource groups. Promote gender diversity, ensure equal opportunities for career advancement, and actively participate in diversity initiatives and assessments. These efforts contribute to a workplace that values diversity, fostering innovation and effectiveness in cybersecurity teams. 

5. Continuous Learning: Nurturing Cybersecurity Excellence

Foster a culture of continuous learning for cybersecurity professionals. Support attendance at industry conferences, encourage pursuit of advanced certifications, and engage in threat intelligence-sharing communities. Provide access to online learning platforms, conduct workshops, and support higher education pursuits. Regular knowledge-sharing sessions and subscriptions to cybersecurity publications ensure ongoing development. This commitment to continuous learning empowers cybersecurity teams to adapt to evolving challenges and contribute effectively to organizational resilience. 

6. Creative Recruitment Strategies: Diversifying Talent Acquisition

Adopt innovative recruitment strategies to address the cybersecurity talent shortage. Identify transferable skills, provide on-the-job training, and consider remote work options. Host inclusive recruitment events, collaborate with non-traditional education providers, and introduce gamified recruitment processes. Craft inclusive job descriptions and actively participate in industry forums. These creative approaches broaden the candidate pool and contribute to building resilient and adaptable cybersecurity teams. 

7. Government and Industry Collaboration: Strengthening Cybersecurity Ecosystem

Encourage collaborative efforts between governments and industries to tackle the cybersecurity talent shortage. Foster public-private partnerships, support cybersecurity education initiatives, and allocate funds for research and development. Develop national cybersecurity workforce strategies, incentivize private sector involvement, and promote international collaboration on standards. Enact legislation supporting workforce development and encourage industry associations. This collaborative approach ensures a cohesive and coordinated effort to address the global cybersecurity workforce challenge. 

Let’s wrap things up…

The shortage of cybersecurity workers stands as a complex challenge demanding careful consideration. The competitive market for talent, driven by high demand, a skills gap, and evolving threats, requires strategic investments. By embracing training, offering competitive compensation, fostering diversity, and collaborating with educational institutions, organizations can position themselves to navigate the cybersecurity landscape successfully. In this friendly advisory, we encourage organizations to embark on a holistic journey, embracing ongoing learning, creative recruitment, and collaborative solutions to fortify their digital assets in the face of ever-changing cyber threats.

Carl Keyser is the Content Manager at Integris.

Keep reading

vCIO vs. vCISO: What’s The Difference? 

vCIO vs. vCISO: What’s The Difference? 

Managing your IT operations is a big job, especially if you're a small or mid-sized company without the resources to hire a full internal IT staff. In these cases, most companies hire a managed IT service provider to fill the gaps. Yet, knowing who to hire and what...

Retainers for vCIOs and vCISOs: A Comprehensive Guide

Retainers for vCIOs and vCISOs: A Comprehensive Guide

If you're running an IT department at a small to mid-size company, you know— the demands on your infrastructure are greater than ever. Cyber threats are growing at an alarming pace, primarily fueled by the accessibility of AI to hackers. Cloud productivity, system...