The Cybersecurity Skills Gap Is Not Just A Numbers Game

Uploaded on 2024-01-15 in NEWS-Cybersecurity News, JOBS-Training, FREE TO VIEW

The cybersecurity skills gap has created an urgency, with governments globally looking to boost the workforce by attracting new entrants not just out of university but from all walks of life.

In the US, the White House unveiled its National Cyber Workforce and Education Strategy (NCWES) in July aimed at making it easier for citizens to enrol and qualify for a career in cyber security while in the UK the National Cyber Strategy sets out goals under Pillar 1, Objective 2 with training initiatives and recruitment from underrepresented groups.

It's clear to see why recruitment in the sector has become a national priority. The latest ISC2 Cybersecurity Workforce Study reveals that globally the workforce has increased 9% over the past year but the gap is growing faster, at 13% with 4 million vacancies, and that means that year-on-year we can expect it to become harder to fill those gaps.

But, crucially, it’s not just a shortage of workers that is causing the problem but a skills gap which means a mass recruitment drive is unlikely to provide an effective solution.

There’s a big difference between the two, with 67% reporting a workforce shortage versus 97% a skills gap, and the latter is much more critical. Over half of those questioned in the ISC2 survey (58%) said they could mitigate workforce shortages if they had sufficient skills across the rest of the team. This is no doubt due to the fact that automation is helping to ease workloads whereas there is substitution for skills, with those in short supply including cloud computing security (35%), artificial intelligence and machine learning (32%) and Zero Trust (29%). 

Experience Over Aptitude

It's this need for specific experience that is seeing the gap widen. The government’s Cyber security skills in the UK labour market 2023 found a third of jobs require a minimum of two to three years’ experience and 28% between four to six years’. Experience is rated above all else by prospective employers, according to the ISC2 report, effectively holding those vacancies open for longer. Plus hiring practices are proving hard to change, with only 51% changing their recruitment criteria to hire from non-security backgrounds.

Fundamentally, we have to focus training on those core skill areas that are the most in demand.

Organisations need to look to offer new recruits external professional development or the opportunity to study third-party certifications in these areas. Yet we’re seeing less not more training, with cost cutting measures seeing staff denied opportunities or being expected to meet the cost themselves. 

The ISACA State of Cybersecurity 2023 report reveals a drop of four percentage points to 28% with respect to employers reimbursing university tuition fees as well as a marginal drop in those paying certification fees. But even more stark is the contrast between those paying the initial fees (65%) versus those paying for the maintenance or renewal of those certifications (55%), which means cybersecurity professionals are consistently expected to pick up the tab on maintaining their qualifications at a time when the cost of living is rising.

Short Term Gains, Long Term Losses

Cutbacks are also exacerbating the skills gap. Those organisations that had laid off staff, for instance, were much more likely to be impacted by a significant skills gap in one or more areas, with 51% found to be in this position compared to 39% who did not lay off staff. In fact, reducing headcount was found to have a more detrimental effect on the skills gap than workforce shortages, perhaps due to morale and confidence in the business to support staff. 

This brings us on to the second biggest driver of the skills gap after sourcing people with the necessary skills: retaining talent.

Low wages, lack of promotion opportunities, and poor job development can all lead to higher attrition rates, making it much harder to keep hold of valuable staff. At organisations that did not offer a competitive salary, for instance, 58% of cybersecurity workers said there were skills gaps compared to 38% of those working at organisations where wages were competitive. 

What these figures all reveal is that solving the skills crisis is not just a numbers game. Attracting more recruits is all well and good but those doing the hiring also need to change their mindset and be more open to recruiting based on potential, not just experience, and from non-security backgrounds.

Training has to be focused on core skillsets which can add value rather than generic disciplines so that the security team can be lean but effective.

And investment in people needs to be sustained to help keep those skillsets relevant, reassure staff that their development is important to the organisation to encourage them to stay, and to avoid saddling staff with their own development costs which could harm the sector as a whole.

Jamal Elmellas is COO of Focus-on-Security

Image: Windows

You Might Also Read: 

Bridging The Cybersecurity Skills Gap With Efficiency:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Might AI Influence Big Elections In 2024?
Enormous Leak - Brazil’s Population Data Exposed »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

DriveLock

DriveLock

Our security solution is designed to prevent external attacks, which are evermore sophisticated as well as monitor, document and even prevent internal incidents.

Progress Flowmon

Progress Flowmon

Progress Flowmon (formerly Flowmon Networks) provide high performance network monitoring technology and behavior analytics to enhance network performance and deal with cyber threats.

MSG Systems

MSG Systems

MSG are committed to intelligent IT and industry solutions and offer independent consulting on all aspects of information security.

Proact IT Group

Proact IT Group

Proact is Europe's leading independent data centre and Cloud services enabler. We deliver flexible, accessible and secure IT solutions and services.

Crossword Cybersecurity

Crossword Cybersecurity

We work with research intensive European university partners to identify promising cyber security intellectual property from research that meets emerging real-world challenges.

Seavus

Seavus

Seavus is a software development and consulting company with a proven track-record in providing successful enterprise-wide business solutions including Managed Security Services.

ReFirm Labs

ReFirm Labs

ReFirm Labs provides the tools you need for firmware security, vetting, analysis and continuous IoT security monitoring.

Cyber Tec Security

Cyber Tec Security

Cyber Tec Security is an IASME Certification Body for Cyber Essentials basic/Plus. We also provide ongoing Managed Security Services.

oneM2M

oneM2M

oneM2M is a global organization creating a scalable and interoperable standard for communications of devices and services used in M2M applications and the Internet of Things.

Open Raven

Open Raven

Open Raven is the cloud native data security platform that prevents breaches driven by modern speed and sprawl. Restore full visibility and regain control within minutes, without agents.

Smoothstack

Smoothstack

Smoothstack is a technology talent incubator whose immersive training program kick starts IT careers and delivers a fresh source of IT talent.

Xiarch Solutions

Xiarch Solutions

Xiarch Security is an global security firm that educates clients, identifies security risks, informs intelligent business decisions, and enables you to reduce your attack surface.

Mission Critical Partners (MCP)

Mission Critical Partners (MCP)

Mission Critical Partners is committed to delivering innovative solutions that help our clients enhance and evolve their critical-communications systems and operations.

Hackurity.io

Hackurity.io

Hackurity.io is a high energy IT security start-up founded in 2021 out of the frustration that IT Security is highly fragmented and reactive.

LegalByte

LegalByte

LegalByte is a leading provider of comprehensive legal and forensic services dedicated to addressing the complex challenges of the digital age.

Nexer

Nexer

Nexer is a modern tech company with expertise in strategy, technology and communication with a strong vision.