The cybersecurity skills gap is a major challenge facing businesses and organizations today. The immense and well-publicized illicit gains generated by cyber attackers have drawn a steady stream of talent to feed the growing army of cyber attackers looking to make their fortune. To respond to this threat, it has become more urgent than ever for cyber defenders to expand the pathways to attract new recruits into the cybersecurity profession.
What Is the Cybersecurity Skills Gap?
The cybersecurity skills gap is the gap between the demand for qualified cybersecurity experts and the available supply of professionals with the necessary skills and training. This gap is a result of the increasing sophistication, volume and velocity of cyber-attacks, the expanding attack surface, and the number of complex security solutions needed to defend it.
Recent surveys of American business leaders and executives make it abundantly clear that companies are struggling to keep up with the constant barrage of cybersecurity threats that their organizations face. For example:
- 80% of organizations suffered one or more breaches that they could attribute to a lack of cybersecurity skills and/or awareness [1].
- 67% of business leaders agree that the shortage of qualified cybersecurity candidates creates additional risks for their organizations [2].
How Is the Cybersecurity Skills Gap Affecting Businesses?
First, the lack of talent creates quantitative and qualitative shortfalls in defending against rising cyber threats. Second, due to the scarcity of talent, organizations must spend more money to build an adequate team and arm them with the best technology. Third, businesses are having a harder time finding qualified employees. With the shortage of professionals, businesses are forced to either pay more for qualified employees or train current, mostly inexperienced employees to fill the gaps. Finally, the shortage of cybersecurity professionals is impacting the nation's economy as a whole. In the event of a successful attack, businesses that are integral to the supply chain can face significant financial losses due to downtime, data loss, and reputational damage.
What Are the Greatest Challenges to Overcome the Cybersecurity Skills Gap?
Traditional sources of professional talent are simply not generating enough candidates. Many colleges and universities do not offer specific courses in cybersecurity, so students have to seek other training options. The landscape of cybersecurity threats is constantly changing and becoming more complex, so it can be difficult for businesses to find professionals who are current on the latest threats and solutions. Additionally, businesses need employees who are creative and collaborative in order to find new and innovative solutions to the ever-evolving cybersecurity threats. Unfortunately, many businesses do not have the luxury of resources to foster creativity and collaboration within their workforce while continuously defending against threats.
#1 The demand for cybersecurity talent is drastically outpacing the rate at which we can train specialists.
60% of organizations have reported that they struggle to recruit cybersecurity talent, and the global cybersecurity workforce must grow by 65% to effectively defend organizations from the complex threats in the cyber threat landscape [3].
The demand for cybersecurity talent has never been greater. With the constant threat of cyber-attacks, businesses are struggling to keep up with the latest threats and protect their networks and data. The lack of qualified professionals is leaving businesses vulnerable to attack and costing them millions of dollars in losses. Compounding the gap is the fact that traditional educational programs are not producing enough qualified graduates to meet the demand that businesses and organizations have for fresh talent in the cybersecurity field.
#2 Companies are not only struggling to recruit new cybersecurity talent but retaining talent is a major struggle as well.
The cybersecurity workforce is aging. For example, 16% of the federal IT workforce is over 60, while only 3% is under 30 [4]. Professionals are simply aging out of the workforce and are not learning the newest skillset for defending their companies from the ever-evolving cybersecurity landscape. Moreover, the average tenure in a cybersecurity role is just 4 years, so businesses are struggling to retain workers in these high-demand positions. This is made evident by 60% of surveyed business leaders saying they struggle to retain qualified people [5]. In order to retain talent, companies must be innovative in their strategies to please employees in this space. Solutions for retaining cybersecurity talent include flexible working conditions, fostering relationships with young professionals in the cybersecurity field, and advancing DEI initiatives to show employees of all backgrounds that they are working at a company that values diversity, equity, and inclusion.
#3 There is a clear lack of diversity in cybersecurity talent.
It is no secret that the tech industry has a diversity problem. The cybersecurity workforce is no exception. People of color are heavily underrepresented in the cybersecurity field. This lack of diversity is often attributed to a lack of awareness of available opportunities, failures of the education system, and a lack of pathways or programs for people of color who may not be able to pursue a traditional path to college and a professional career. Others point the finger at tech companies for not prioritizing DEI initiatives in hiring practices or outreach. Having a diverse team is proven to benefit companies. Diverse teams reduce errors, and diverse companies make more money and have less turnover.
Women are also heavily underrepresented in the cybersecurity field. According to a recent study, women make up only 20% of the cybersecurity workforce [6]. This lack of diversity can be attributed to a number of factors, such as the perception that cybersecurity is a male-dominated field, the lack of role models for women in tech, and a lack of programs seeking out women. The lack of diversity in cybersecurity is a major problem for businesses and organizations all over the world. With such a small percentage of women making up the workforce, companies are struggling to find qualified individuals to fill positions. This lack of available talent leaves businesses vulnerable to attack, as they do not have the necessary personnel to defend themselves.
#4 Traditional educational institutions lack cybersecurity degrees and programs.
Because the cybersecurity industry is always evolving, it can be difficult for colleges and universities to keep up with the pace of this evolution. The lack of a curriculum focused on cybersecurity results in students having to find other training options if they want to enter the field.
The Brooklyn Cyber Center, launched by Ankura in 2021, aims to address two perennial challenges in the cybersecurity industry: the severe talent shortage in the sector, which has made it difficult for organizations to fill open security positions with qualified staff, and a historic lack of diversity in the information security profession. Learn more here: https://ankura.com/news/ankura-launches-brooklyn-cyber-center
#5 Companies are not casting a broad-enough net when doing outreach for prospective employees.
Most companies are very rigid in their hiring process and do not look outside the lens of four-year institution graduates. Having a narrow hiring perspective like this leaves behind qualified professionals who sought out alternative means of education. If firms were more open to the idea of hiring professionals without four-year degrees, the cybersecurity skills gap would lessen.
Which Cybersecurity Skills Are in the Highest Demand?
Key Hard Skills
Threat Intelligence
Threat intelligence is the practice of gathering and analyzing information about threats to an organization’s digital assets in order to better protect them. Threat intelligence is collected from a range of public and private sources and can be used to anticipate potential attacks, evaluate the severity and impact of an attack, and develop strategies for mitigating or preventing future attacks. It involves collecting disparate data from a variety of sources, aggregating it, and applying targeted analytics to derive actionable information.
Cloud Security
Cloud security is the practice of protecting data stored in cloud infrastructure and/or SaaS environments from unauthorized access, malicious attacks, and data loss. It involves implementing policies and procedures to ensure that data is handled securely, with strict rules for who can access what information. Cloud security also encompasses mastery of virtualized operating system characteristics, identity management, and secure authentication protocols.
SOC Analyst Experience
SOC analysts are highly sought-after professionals who specialize in monitoring and analyzing IT systems to identify any potential security threats. They use a variety of tools and techniques, such as threat hunting, log correlation and analysis, behavioral anomaly detection, and more to ensure data is protected from cyber-attacks. Having this experience on a cybersecurity team is key to building a strong, protected cybersecurity force.
Key Soft Skills
Adaptability
Adaptability is an essential skill for cybersecurity professionals, as the security landscape constantly changes and evolves. What was good enough to protect your systems yesterday may not be good enough today. Cybersecurity professionals must be able to adapt quickly to new threats and stay up to date on security best practices and trends. Having excellent adaptability skills allows cybersecurity professionals to anticipate future risks and proactively protect against them.
Communication
Good communication skills are essential for a successful cybersecurity team, as they allow team members to collaborate effectively and exchange ideas. Cybersecurity professionals must also be able to communicate complex concepts to their teams and the organizations they protect. The ability to succinctly summarize an observation, formulate investigative plans, and communicate escalations is critical to the success of a SOC team.
Passion/Desire to Learn
The passion to learn in the field of cybersecurity is essential for success. Cybersecurity professionals must be constantly learning and evolving with the ever-changing landscape, so it’s important that they have a strong interest in the subject. Additionally, having a passion for cybersecurity can help an analyst stay motivated when tackling complex problems and spark the development of innovative solutions.
Curiosity
Curiosity is an essential trait for a successful cybersecurity professional as they must be proactive in searching for new threats and have the skill to think outside of the box. Cybersecurity professionals need to remain curious and constantly look for innovative solutions to stay ahead of ever-evolving cyber threats. Curiosity also helps professionals understand how attackers think, which can help mitigate potential threats.
How Can We Close the Cybersecurity Skills Gap?
There is no simple way to close the cybersecurity skills gap, which will remain a significant challenge for many years to come. We must first foster an inclusive, welcoming environment that draws creative talent and fosters the development of a culture that is appealing to the best and brightest. Emphasizing that it doesn’t take an advanced degree from an elite school to become a cybersecurity professional will help reduce perceived barriers for a much wider pool of diverse talent. By working together, cybersecurity professionals can exchange knowledge and ideas, which will ultimately help make everyone more effective in their work.
Creating opportunity and awareness in the cybersecurity industry.
A major contributor to the cybersecurity skills gap is the lack of awareness that many professionals and young people have of the cybersecurity profession as a viable career path. Compounded with a lack of awareness for the cybersecurity industry, there are very few options for those who did not get a four-year degree as hiring practices remain riddled with barriers to entry that don’t often provide opportunities for those who take a non-traditional path to employment. Awareness for the industry can be driven through alternative recruiting channels, like job fairs and partnering with alternative educational programs. Moreover, intentional outreach to people who are generally underrepresented in the industry, like people of color and women, is key to changing the diversity landscape of the industry.
Opportunities in the cybersecurity industry can be driven by not disqualifying people who did not receive four-year degrees. Making it known that it is possible to become a successful cybersecurity professional without a college degree is paramount to advancing diversity and filling the talent gap in the industry.
Underrepresented communities represent a significant potential for cybersecurity talent.
African Americans only represent 11% of the cybersecurity workforce, even lower, only 9% of all STEM professionals, and lastly, 7% of computer science employees. Latinos are also severely underrepresented in the cybersecurity field, only making up 17% of the workforce, and only 8% of all STEM professionals and computer science employees [cite].
Businesses and organizations need to evolve and adapt their hiring practices to account for a focus on diversity. This can be done through partnerships with local colleges, universities, and job skills training programs to promote open opportunities to people of color.
Colleges and universities should also promote programs and opportunities for people of color in cybersecurity by offering scholarships or internship programs to cultivate progress in this space.
Making cybersecurity a board-level priority
There are a number of reasons why it is important to make cybersecurity a board-level priority. First, board members can provide strategic guidance to senior management on how to protect the company from cyber threats. Second, board members can help ensure that the necessary resources are allocated to cybersecurity initiatives. Third, board members can act as advocates for cybersecurity within the organization. Finally, board members can serve as a check and balance against any potential missteps by senior management with respect to cybersecurity.
- 90% of American organizations already discuss cybersecurity with their board [cite].
- 76% of organizations indicate that their board of directors now recommends increases in IT and cybersecurity headcount [cite].
Developing a holistic hiring strategy
A holistic hiring strategy is important for cybersecurity because it allows businesses to find the best talent possible. By casting a wide net and considering all potential candidates, businesses can find the best fit for their organization. Additionally, a holistic hiring strategy can help businesses identify people with the necessary skills to fill open positions. Finally, a holistic hiring strategy can help reduce the risk of making a mistake when filling a cybersecurity position.
"A holistic hiring strategy must include a diverse team with different viewpoints. Having a team with different backgrounds and experience will help mold a comprehensive cybersecurity team." - Jamar Haywood (Managing Director, Ankura)
Designing for retention in cybersecurity
Designing for retention in cybersecurity is important for organizations to ensure employees stay in their roles with the company and are equipped with the necessary skills to stay current on cyber threats. To achieve this, organizations must create a culture of learning where employees have access to resources and training opportunities that help them develop and maintain the key skills needed for the job. Additionally, organizations should provide employees with appropriate recognition for their achievements, as well as clear paths for career advancement.
Organizations should also create an environment where employees feel valued and appreciated. This includes offering competitive salaries, providing flexible work schedules, and offering other perks such as onsite childcare or time off to pursue hobbies or volunteer activities. Additionally, creating a sense of camaraderie among employees can also help foster a sense of belonging and commitment to the organization. Organizations should also focus on creating an inclusive work environment where diversity is valued and encouraged. By promoting an open and collaborative culture, organizations can create a workplace that not only attracts diverse talent but also retains them.
This article was edited by Connor McCulloch, an Senior Associate in the Ankura Washington, DC office.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
