Cybersecurity talent shortage – outlook for 2023

Talent shortage

According to a 2022 Cybersecurity Workforce Study, the United States alone had approximately 700,000 unfilled cybersecurity jobs last year. The U.S. Bureau of Labor Statistics predicted that that figure would increase to a million in 2023.

In a 2022 survey, only one percent of Fortune 100 companies said they had sufficient in-house cybersecurity talent.

At the same time, cloud storage and intelligence-driven attacks and other emerging threats are increasing. Lacking the staff to counter these threats, organizations are more vulnerable and stand to lose the trust of their public with regard to protecting personal data and dealing with attacks. Additional skilled cybersecurity talent is constantly in demand.

Due to this demand, coupled with the scarcity in supply, wages for skilled cybersecurity professionals continue to rise pricing out many government entities and SMBs. Vital roles often remain unfilled.

Why the shortage?

Reasons given depend on whom you ask. In the U.S., employers often claim a lack of qualified candidates, while workers and candidates blame the gap on the lack of opportunities for entry level or newer employees to break into the industry. Universities are suffering from a lack of professors who are willing to teach cybersecurity classes because those who are qualified to do so can earn much more actually working in cybersecurity jobs in the private sector.

A new survey from non-profit (ISC)2 of more than 11,000 cybersecurity practitioners and decision makers sheds a much clearer light on the situation: results show that the problem lies mostly with organizations failing to invest enough in developing their cybersecurity workforce, not a shortage of available talent.

“This analysis suggests that the most negatively impactful issues are ones that organizations can indeed control: not prioritizing cybersecurity, not sufficiently training staff, and not offering opportunities for growth and promotion. Being able to find qualified talent was actually the least impactful problem based on this analysis,” the (ISC)2 report stated.

Generalists vs. specialists

John Hendley, Head of Strategy, IBM Security X-Force offers the following prediction and solution:

“Hiring the talent required to secure the cloud will be a challenge for security leaders in 2023,” he reports. “One of the greatest hurdles stems from the large number of people needed in very niche, specialized roles. With so many companies increasingly going all-in on the cloud – and a skills crisis that’s worsening year by year — the solution to the skills gap lies in cybersecurity generalists. Organizations will recruit more generalists with successful track records, and build internal teams by reskilling specialists back to generalists,” he predicts.

What skills does a cybersecurity professional really need?

Shruti M., Senior Research Analyst at Simplilearn writes: “To become a cybersecurity professional, you need to have the following skills:

“IT Security Expertise: This is one of the most important skills to have as a cybersecurity professional. You should be able to understand how hackers work and what they do to prevent attacks on your organization’s network or data.

“Expertise in Cybersecurity Laws: Cybersecurity professionals also need expertise in relevant laws that govern cybersecurity issues, such as the Computer Fraud and Abuse Act of 1986.”

These skills can be taught.

The answer

The “Great Resignation” and the mass layoffs have created a large pool of candidates. Many of those who have sought a new career have turned to Tech and are glad to have done so. Organizations need to carefully review their job requirements and be willing to take on new staff at entry and lower levels in cybersecurity who have the talent and can acquire any skills that are missing, not open themselves up to cybersecurity risks because they cannot find or afford fully fledged seasoned veterans for every role.

As a longer term solution, the entire education system needs to adjust so that there are sufficient graduates to fill the very remunerative work in cybersecurity.