The Cyber Security Skills Gap Is A Chicken & Egg Problem

Uploaded on 2024-04-18 in JOBS-Training, FREE TO VIEW, NEWS-Cybersecurity News

The cybersecurity workforce gap is now almost equal to the number employed in the sector, according to figures from ISC2 which found these are globally approaching 4m and 5.5m, respectively. In an effort to address the gap, we’ve seen a host of national drives by governments, from the US National Cyber Workforce and Education Strategy (NCWES) in the US to the National Cyber Strategy in the UK.

The latter has seen a concerted effort to rationalise the sector by the UK Cyber Security Council in the form of its Cyber Career Framework which maps sixteen specialisms and helps provide guidance on the qualifications and certifications in relation to each to support those aspiring to work in cyber.

All are to be applauded except there’s one crucial problem: there aren’t the jobs for these new entrants to apply to.

Job openings for experienced candidates outnumber those for entry level positions by a ratio of two to one, according to The State of Cybersecurity 2023 report from ISACA. It warns that without the creation of enough entry-level positions those that spend significant time and effort completing a cybersecurity pathway program cannot gain the necessary employment experience. This renders government initiatives as useless as they cannot compel enterprises to offer entry-level positions.  

Only The Experienced Need Apply

The vast majority of job openings are for experienced personnel. The Cyber Security Skills in the UK Labour Market 2023 commissioned by the government reveals that 59% of job postings request between two and six years of experience, with the bulk of skills shortages are among middle-management and other senior roles, which require three or more years of experience. This is in part due to the areas where skills shortages are falling. 

The most in demand technical skills are in cloud security. This was followed by risk assessment/management, security analysis and security engineering in the ISC2 report and security controls and implementation in the ISACA report. But top of the list when it comes to the skillsets missing among those with less than three years’ experience was also security controls, which suggests new candidates are not always coming to the market with the desired skillsets.

This may, in part, be due to fact that employers are increasingly becoming disillusioned with the cybersecurity degrees. According to ISACA, only 25% of degree syllabuses need to pertain to cybersecurity topics and less organisations now require a university-degree for entry-level positions. In the workplace, attitudes towards degrees are split: 28% agree university graduates are well prepared for cybersecurity challenges in a real world setting and 24% don’t in the ISACA study. But the ISC2 found the majority now favour experience over a degree (70% versus 30%) among entry level candidates.

The move away from degrees is generally welcomed within the industry, as it lowers the barriers to entry and sees independent study ie certifications and work experience valued more highly. A university degree now comes way down the list on desirable qualifications, after prior hands-on experience (72%), credentials (37%), and hands-on training (25%), according to ISACA. The problem remains, however, as to how candidates can obtain the necessary experience, particularly when that experience needs to span several years. 

Casualties Of The Economic Downturn

All of this points to the need for the commercial sector to step up and commit to taking on and training candidates rather than expecting a ready-made talent pool. But unfortunately, the economic downturn has resulted in quite the opposite. ISACA reports a drop in the number of employers reimbursing employees for university fees and certification fees, for example, while ISC2 found 35% of organisations have made cutbacks to their training programmes to conserve spend. It’s often a false economy, however, with those that don’t offer reimbursements revealed to be the businesses with the worst skills gaps, because under investment in the workforce typically leads to attrition.

The chicken and egg problem of the cybersecurity workforce crisis is therefore complex. Government initiatives that simply seek to blanket the sector with candidates are setting them up to fail, with debts from studying and no job to go into. Hirers are looking for skilled personnel who are diminishing as demand outstrips supply. And cash-strapped businesses are unable to take on the costs of training up green candidates because of a stalling economy and rising costs.  

Solving the problem will therefore take a number of seismic changes. We need organisations to be less blinkered in their approach and expand their hiring parameters to include non-experienced personnel. This is happening, albeit slowly, with 51% now changing their hiring requirements to recruit more people from non-cybersecurity backgrounds, states ISC2. Hiring practices that look for aptitude and potential in terms of technical competency by assessing soft skills such as problem solving, for instance, should be used to assess candidates.

Government initiatives also need to run alongside programmes that incentivise the commercial sector to take on and train candidates. We’ve seen the likes of the CyberFirst programme attempt to create a pipeline for the market which offers university bursaries and apprenticeship schemes but in reality this is a drop in the ocean and can’t match demand. So government supported schemes need to think bigger and work with private businesses to see the creation of entry level opportunities.

Businesses will need to draw upon raw talent and shape people in work placements, through training and mentoring, for example. But this presents a real opportunity to tailor and invest in the workforce and, by solving the problem themselves rather than relying on the market, it makes it less likely that skills gaps will emerge.

Without such radical action, the danger is that the over emphasis on unicorn and experienced job postings are likely to alienate potential applicants and deepen the workforce gap.

Jamal Elmellas is COO of Focus-on-Security

Image: AndreyPopov

You Mght Also Read: 

The Cybersecurity Skills Gap Is Not Just A Numbers Game:

DIRECTORY OF SUPPLIERS - Jobs & Recruitment:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Focus On Education With CYRIN Cyber Range
Overcoming Security Alert Fatigue »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

iXsystems

iXsystems

iXsystems is a leader in Open-Source enterprise server and storage solutions including Backup & Recovery to protect critical data.

Evidian

Evidian

Evidian, a Bull Group company, is the European leader and one of the major worldwide vendors of identity and access management software.

National Cyber Security Centre (NKSC) - Lithuania

National Cyber Security Centre (NKSC) - Lithuania

NKSC is the main Lithuanian cyber security institution, responsible for unified management of cyber incidents, monitoring and control of the implementation of cyber security requirements.

SecureMetric Technology

SecureMetric Technology

SecureMetric is one of SE Asia’s leading players in the field of digital security with a focus on Software Licensing Protection, 2-Factor Authentication, Advanced Identity and Access Management, Publi

National Accreditation Authority Hungary (NAH)

National Accreditation Authority Hungary (NAH)

NAH is the national accreditation body for Hungary. The directory of members provides details of organisations offering certification services for ISO 27001.

Go Grow

Go Grow

Go Grow is a business oriented accelerator program at Copenhagen School of Entrepreneurship. Targeted technologies include IoT, AI and Cybersecurity.

LOGbinder

LOGbinder

LOGbinder eliminates blind spots in security intelligence for endpoints and applications.

Nardello & Co

Nardello & Co

Nardello & Co. is a global investigations firm with experienced professionals handling a broad range of issues including Digital Investigations & Cybersecurity.

Argentra

Argentra

Argentra is a specialist engineering company, we have years of experience developing custom security software and providing security risk consulting.

Purism

Purism

Purism works with hardware component manufactures and the free software community to build high quality hardware that respects your digital life.

Securonix

Securonix

Securonix delivers a next generation security analytics and operations management platform for the modern era of big data and advanced cyber threats.

InfoSec Brigade

InfoSec Brigade

InfoSec Brigade offers a suite of specialized solutions that help businesses to mitigate risk by integrating cyber and IT security protocols with business goals.

ELLIO Technology

ELLIO Technology

ELLIO Technology is a cybersecurity company that reduces alert overload, improves incident response, and helps security teams target serious attackers who pose a real threat.

SecurEyes

SecurEyes

SecurEyes is a leading cybersecurity firm that provides specialised services, including cybersecurity assessments, managed services, and governance risk and compliance services.

M.Tech

M.Tech

M.Tech is a leading cyber security and network performance solutions provider. We work with leading vendors to bring optimal solutions to the market through a channel of reseller partners.

Prophet Security

Prophet Security

Prophet Security empowers organizations to triage, investigate, and respond to alerts with unparalleled speed and accuracy.