The annual (ISC)² Cybersecurity Workforce Study finds that there are now more cybersecurity professionals working than at any previous point, but the field is still very far from fully staffed. Despite a record 4.7 million people across the world now working, there remains a workforce gap of 3.4 million that growth is still not strong enough to address within the next few years.
Cybersecurity careers drawing increasing interest, but massive workforce gap remains
The Cybersecurity Workforce Study included the input of over 11,700 active employees in the industry and hiring decision-makers for organizations throughout the world.
The cybersecurity workforce has grown by a little over 11% since last year, filling 464,000 more positions. Most regions have experienced 12% to 15% growth in hiring, with Asia-Pacific leading at 15.6%; North America lagged with only 6.2% growth, and Australia and South Korea had similar struggles to keep pace. Some individual nations have soared in growth, led by the Netherlands (64.3%) and Japan (40.4%). Only Germany and Singapore saw an increase in unfilled positions.
That would appear to be good news for employers at first glance, but unfortunately demand is still outpacing this growth and is causing the international workforce gap to grow at a little more than double the rate at which positions have been filled (a 26.2% year-over-year increase). Among regions Asia-Pacific was a leader here again, offsetting the hiring sprint with a 52% increase in demand; Latin America was the only region to see a decrease in demand (of about 26%). Among individual nations, India has seen a whopping 630% increase in demand in just a year, France is up 120.6%, and there are numerous others that are in the 55% to 75% range.
Individual industries are having particular problems with corralling enough of the cybersecurity workforce: government agencies, aerospace, education, insurance and transportation report the biggest shortfalls. And overall, across all industries, 70% of respondents say that their organization is not staffed well enough for its cybersecurity program to be effective. Of those that felt this way, 50% said that the organization was at “moderate” or “extreme” risk of a cyber attack due to lack of personnel.
Priorities have also shifted among those that report security concerns due to the workforce gap. In 2021, the leading problems they reported were misconfigured systems and a lack of time for proper risk assessment and management. Risk assessment remains at the top of the list of concerns, but other issues related to the cybersecurity workforce shortfall have shot up this list: patching of critical systems, lack of time available to train all cybersecurity team members, and oversights in process and procedure.
Can the cybersecurity workforce be shored up?
From the numbers reported this and last year, it’s reasonable to expect that the global workforce gap will not be fully addressed at least within the next few years. Shortfalls of this magnitude in the cybersecurity workforce present grave risks, however, even at a national security level.
For the most part the workforce gap is a simple supply and demand issue; a vastly increasing supply of cyber crime, which does not show signs of slowing down at present, creating a demand for qualified talent that simply doesn’t exist in the necessary numbers. Respondents say that other issues can be a more immediate problem, however: those that are actively competing for cybersecurity workforce talent say that turnover is a very serious issue, that wages are not competitive and that this often traces back to an inadequate cybersecurity or IT budget. 22% also said that they feel that leadership is misaligning resources, overloading one particular area or another with too many of their qualified professionals on hand.
Among the relative few organizations that are not experiencing shortages, what is being done to keep the cybersecurity workforce attracted to their positions and happy once in house? This subset of respondents says that internal training opportunities, offering work-from-home and rotating job assignments are particularly effective, and are particularly successful at large companies with at least 1,000 employees.
Most organizations are also looking at automation to address the workforce gap. 57% have already onboarded some sort of automation measures, and an additional 26% say that they have plans to adopt it in the future. The main focus of these systems is to free up the existing workforce to spend more time addressing higher-level tasks.
Cybersecurity workforce shortages are also less common at organizations in which IT hiring managers have a strong working relationship with the HR department, but only 52% of overall respondents say that this is how things stand at their company. 40% of hiring decision-makers outright said that the HR department adds no value to the process.
For their part, skilled employees say that discontent at their workplace stems more from company culture issues rather than what they are asked to do at their jobs. The largest amount said that they changed jobs in the last two years due to better pay and opportunity, but these factors were closely followed by negative or unhealthy company culture, a feeling of burnout and poor work/life balance. Only about 50% say that they are likely to stick with their current position for the next five years.
