The Cyber Security Skills Gap Is A Chicken & Egg Problem

The cybersecurity workforce gap is now almost equal to the number employed in the sector, according to figures from ISC2 which found these are globally approaching 4m and 5.5m, respectively. In an effort to address the gap, we’ve seen a host of national drives by governments, from the US National Cyber Workforce and Education Strategy (NCWES) in the US to the National Cyber Strategy in the UK.

The latter has seen a concerted effort to rationalise the sector by the UK Cyber Security Council in the form of its Cyber Career Framework which maps sixteen specialisms and helps provide guidance on the qualifications and certifications in relation to each to support those aspiring to work in cyber.

All are to be applauded except there’s one crucial problem: there aren’t the jobs for these new entrants to apply to.

Job openings for experienced candidates outnumber those for entry level positions by a ratio of two to one, according to The State of Cybersecurity 2023 report from ISACA. It warns that without the creation of enough entry-level positions those that spend significant time and effort completing a cybersecurity pathway program cannot gain the necessary employment experience. This renders government initiatives as useless as they cannot compel enterprises to offer entry-level positions.  

Only The Experienced Need Apply

The vast majority of job openings are for experienced personnel. The Cyber Security Skills in the UK Labour Market 2023 commissioned by the government reveals that 59% of job postings request between two and six years of experience, with the bulk of skills shortages are among middle-management and other senior roles, which require three or more years of experience. This is in part due to the areas where skills shortages are falling. 

The most in demand technical skills are in cloud security. This was followed by risk assessment/management, security analysis and security engineering in the ISC2 report and security controls and implementation in the ISACA report. But top of the list when it comes to the skillsets missing among those with less than three years’ experience was also security controls, which suggests new candidates are not always coming to the market with the desired skillsets.

This may, in part, be due to fact that employers are increasingly becoming disillusioned with the cybersecurity degrees. According to ISACA, only 25% of degree syllabuses need to pertain to cybersecurity topics and less organisations now require a university-degree for entry-level positions. In the workplace, attitudes towards degrees are split: 28% agree university graduates are well prepared for cybersecurity challenges in a real world setting and 24% don’t in the ISACA study. But the ISC2 found the majority now favour experience over a degree (70% versus 30%) among entry level candidates.

The move away from degrees is generally welcomed within the industry, as it lowers the barriers to entry and sees independent study ie certifications and work experience valued more highly. A university degree now comes way down the list on desirable qualifications, after prior hands-on experience (72%), credentials (37%), and hands-on training (25%), according to ISACA. The problem remains, however, as to how candidates can obtain the necessary experience, particularly when that experience needs to span several years. 

Casualties Of The Economic Downturn

All of this points to the need for the commercial sector to step up and commit to taking on and training candidates rather than expecting a ready-made talent pool. But unfortunately, the economic downturn has resulted in quite the opposite. ISACA reports a drop in the number of employers reimbursing employees for university fees and certification fees, for example, while ISC2 found 35% of organisations have made cutbacks to their training programmes to conserve spend. It’s often a false economy, however, with those that don’t offer reimbursements revealed to be the businesses with the worst skills gaps, because under investment in the workforce typically leads to attrition.

The chicken and egg problem of the cybersecurity workforce crisis is therefore complex. Government initiatives that simply seek to blanket the sector with candidates are setting them up to fail, with debts from studying and no job to go into. Hirers are looking for skilled personnel who are diminishing as demand outstrips supply. And cash-strapped businesses are unable to take on the costs of training up green candidates because of a stalling economy and rising costs.  

Solving the problem will therefore take a number of seismic changes. We need organisations to be less blinkered in their approach and expand their hiring parameters to include non-experienced personnel. This is happening, albeit slowly, with 51% now changing their hiring requirements to recruit more people from non-cybersecurity backgrounds, states ISC2. Hiring practices that look for aptitude and potential in terms of technical competency by assessing soft skills such as problem solving, for instance, should be used to assess candidates.

Government initiatives also need to run alongside programmes that incentivise the commercial sector to take on and train candidates. We’ve seen the likes of the CyberFirst programme attempt to create a pipeline for the market which offers university bursaries and apprenticeship schemes but in reality this is a drop in the ocean and can’t match demand. So government supported schemes need to think bigger and work with private businesses to see the creation of entry level opportunities.

Businesses will need to draw upon raw talent and shape people in work placements, through training and mentoring, for example. But this presents a real opportunity to tailor and invest in the workforce and, by solving the problem themselves rather than relying on the market, it makes it less likely that skills gaps will emerge.

Without such radical action, the danger is that the over emphasis on unicorn and experienced job postings are likely to alienate potential applicants and deepen the workforce gap.

Jamal Elmellas is COO of Focus-on-Security

Image: AndreyPopov

You Mght Also Read: 

The Cybersecurity Skills Gap Is Not Just A Numbers Game:

DIRECTORY OF SUPPLIERS - Jobs & Recruitment:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Focus On Education With CYRIN Cyber Range
Overcoming Security Alert Fatigue »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: Gen AI for Security: Adoption strategies with Amazon Bedrock

ON-DEMAND WEBINAR: Gen AI for Security: Adoption strategies with Amazon Bedrock

Watch this webinar and get a comprehensive roadmap for securely adopting generative AI using Amazon Bedrock, a fully managed service that offers a choice of high-performing foundation models (FMs).

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Information Security Group (ISG) - Royal Holloway

Information Security Group (ISG) - Royal Holloway

The Information Security Group, Royal Holloway, University of London, is an Academic Centres of Excellence in Cyber Security Research.

IPVanish

IPVanish

IPVanish has its roots in over 15 years of network management, IP services, and content delivery services. Now we're bringing these finely honed skills to VPN.

Adeptis Group

Adeptis Group

Adeptis are experts in cyber security recruitment, providing bespoke staffing solutions to safeguard your organisation against ever-changing cyber threats.

Armadillo Sec

Armadillo Sec

Armadillo provide penetration testing and vulnerability assessment services.

Cynerio

Cynerio

Cynerio develops cybersecurity protections for medical devices, comparing network behavior with a database of medical workflows.

Lionfish Cyber Security

Lionfish Cyber Security

Lionfish Cyber Evolution & Empowerment Model™ empowers SMBs to prepare and protect themselves against cyber threats using a unique combination of on-demand training, support and managed services.

Point Predictive

Point Predictive

Point Predictive build Predictive Models using Artificial Intelligence and Machine Learning techniques that help our customers stop fraud and early payment default (EPD).

SecureStack

SecureStack

SecureStack helps software developers find security & scalability gaps in their web applications and offers ways to fix those gaps without forcing those developers to become security experts.

Coveware

Coveware

Coveware helps businesses remediate ransomware. We help companies recover after files have been encrypted, and our analytic, monitoring and alerting tools help companies prevent ransomware incidents.

KT Secure

KT Secure

KTSecure’s mission is to provide proven and productive cyber security solutions and managed services, backed by our highly qualified and passionate team of experts.

Credible Digital Security Pvt. Ltd. (CDSPL)

Credible Digital Security Pvt. Ltd. (CDSPL)

CDSPL is an innovative Cyber Security Services Company in India. We are committed to offering cyber security solutions for important sectors such as energy and utilities, healthcare, and more.

Cipher Net Shield

Cipher Net Shield

Cipher Net Shield specializes in secure E-wallet solutions with a strong focus on blockchain and cybersecurity, prioritizing both transaction security and the recovery of lost capital.

Mindflow

Mindflow

Mindflow is dedicated to bringing answers to the challenges the cybersecurity field and beyond face today.

Token Security

Token Security

Token is the new approach designed for the identity boom era. Introducing Machine-First Identity Security.

Standard Notes

Standard Notes

Standard Notes is a secure digital notes app that protects your notes and files with audited, industry-leading end-to-end encryption.

Reveald

Reveald

Reveald is making Exposure Management a reality to solve the biggest challenges in cybersecurity with a trailblazing ‘offense to defense’ approach that gives the advantage back to the business.