Cybersecurity skills gap rises. Impacted businesses urged to attract talent with education and embrace AI.
|The big picture
|Why this issue matters
|Responding to the cybersecurity skills shortage
The big picture
In 2023, tech employees found themselves in an unaccustomed position: scrambling for work. Since last January, tech firms including Google, Meta, and Microsoft have laid off around a quarter of a million people. In early December, online music company Spotify announced that it was furloughing about 17% of its workforce—roughly 1,500 employees. Many tech firms that expanded their headcounts during the pandemic have retrenched as growth slows and investors demand cost-cutting.
But there’s at least one area where qualified digital talent remains in short supply. That area is cybersecurity. The cybersecurity skills shortage threatens the well-being and even survival of numerous businesses as cybersecurity threats grow more numerous, sophisticated, and dangerous to the point that cybersecurity groups have vowed not to pay ransom demands.
How bad is the shortage? According to the Cybersecurity Workforce Study from ISC2, a nonprofit organization for cybersecurity professionals, the gap between the number of skilled cybersecurity staffers needed and the number available has risen 12.6% year over year worldwide. That’s despite the fact that the global cybersecurity workforce has grown 10% in the last year to a record high of just under 4 million. Two-thirds of the cybersecurity professionals surveyed in the study, which was released in October, reported that their organization has a shortage of cybersecurity staff needed to prevent and troubleshoot security issues.
A Gartner report asserted this year that by 2025, half of all cybersecurity incidents will occur because of “a lack of talent or human failure.” Cybersecurity is a professional discipline no business can do without, especially during the tax season where client information needs to be protected. And that means organizations need to be proactive in finding, developing, and retaining their cybersecurity workforce.
Why this issue matters
The ISC2 study offers other sobering statistics. Over half of the study’s survey respondents say that cyberattacks have increased because the “attack surface” (the number of potential access points cybercriminals could exploit) has become larger in recent years. In addition, 52% report an increase in insider incidents—cybersecurity threats due to employees and others authorized to access a company’s system. These insiders either are bad actors themselves or have had their access hijacked by cybercriminals. In today’s world, there are a lot more cyber threats to look out for.
Interestingly—and worryingly—survey respondents cited budget cuts, layoffs, and hiring freezes as significant contributors to the shortage. Overall, 47% of those surveyed have experienced cybersecurity-related cutbacks, with 22% of this group having been impacted by layoffs within their organization’s cybersecurity team. This suggests that some tech firms might be shooting themselves in the foot, especially with SEC’s new cybersecurity rules.
This could also mean that more cybersecurity professionals are available for hire. But do they have the skills companies need? Among respondents to the survey, 92% reported skills gaps at their organization, a gap that includes cloud computing security. An inability to find people with the right skills, the struggle to keep employees who have those skills, and a shrinking hiring budget are the biggest causes cited for these skills gaps. Indeed, 54% of respondents said that the cybersecurity skills shortage situation has been getting worse in recent years.
This should be a big worry for businesses of all kinds. Organizations that can’t find or retain qualified, skilled workers to fill cybersecurity positions are likely to experience productivity losses in their operations. For one thing, the cybersecurity skills shortage can hurt many companies’ efforts to be in compliance with consumer data security standards. If a company can’t guarantee that its data is safe, current and potential customers might be nervous about making purchases online.
Responding to the cybersecurity skills shortage
Given the combination of the skills shortage and increase in cybersecurity threats, what can businesses do to create a good cybersecurity strategy?
How companies can attract and retain cybersecurity talent
An attractive compensation package is certainly one of the ways to build a cybersecurity workforce. But respondents to the survey and other professionals say that it’s just as important to offer continuing education opportunities. Companies would also need to find vital ways for cybersecurity to create synergy with other teams, such as fraud prevention. This not only attracts talent—it helps an organization directly address the skills gap.
The cybersecurity skills shortage has attracted the attention of policymakers and businesses across the globe. In a report released last May, the World Economic Forum offered several insights into how organizations can build the skilled cybersecurity workforce they need to meet future cybersecurity threats. As the report notes, “organizations must make sure they manage the underlying factors that contribute to high attrition rates and provide incentives, including flexible work arrangements, as well as employee wellbeing solutions.” The Forum itself has been developing an initiative, which includes members of both the public and private sectors, to address “the global cybersecurity skills gap and devise actions to help individuals enter and thrive in the cybersecurity workforce.”
How AI can help address the skills shortage
One of the cybersecurity skills that nearly half of survey respondents said is in short supply is knowledge of artificial intelligence (AI) and machine learning. This particular skills gap creates two different types of cybersecurity worries. A lack of familiarity with generative AI platforms such as ChatGPT can make an organization’s IT system more vulnerable to phishing attacks and identity fraud. Cybercriminals are developing ways to use AI in order to make their fraudulent emails and texts resemble credible messages from customers and managers. This expands the organization’s attack surface and makes its cybersecurity team’s work more onerous.
At the same time, AI could provide numerous benefits for a company’s cybersecurity workforce. AI can help safeguard your business. Experts in the field say that it could help gather security data, suggest ways to boost an organization’s security protocols, and even provide training in new skills. While the use of generative AI for cybersecurity is still in its early stages, the development of AI-based security tools is moving fast.
How companies can protect themselves from cybersecurity risk
Cybersecurity professionals also stress that training non-IT employees in “basic security hygiene”—not clicking on suspect email links, for instance—would go a long way to protecting a company’s data. It also can shrink an organization’s attack surface.
Hiring or developing cybersecurity talent and providing all employees with security hygiene training are both essential ways that companies can battle the onslaught of fraudsters and other bad actors seeking to access, disrupt, and steal from their IT networks. In addition, companies should consider digital tools, including the evolving AI toolbox, to help them assess cybersecurity risks. As cybersecurity threats become more sophisticated, organizations and their cybersecurity teams need to keep pace.