Pandemic-induced burnout and stress left more cybersecurity positions unfilled in 2021 compared with the previous year. And there’s no sign that the jobs will be staffed with qualified professionals any time soon to meet the heightened threat levels related to the Russian war against Ukraine and President Biden’s warning this week that Russian cyberattacks are “coming.”
Which begs the question: Where are today’s cybersecurity leaders?
“The Great Resignation is compounding the longstanding hiring and retention challenges the cybersecurity community has been facing for years,” says Jonathan Brandt, director of professional practices and innovation at ISACA (the Information Systems Audit and Control Association). The international IT association today published its eighth annual State of Cybersecurity survey of more than 2,000 cybersecurity professionals around the world.
The challenging findings speak for themselves: More than six out of 10 respondents said they are understaffed. One in five reported that it takes more than six months to find a qualified applicant to hire.
As a result, almost 600,000 cybersecurity positions remain unfilled in the U.S., according to CyberSeek. Thousands of companies are at greater risk from cyberattacks. In fact, 69% of ISACA’s survey respondents who sustained some form of a cyberattack last year reported being understaffed.
Assessing the cybersecurity skills gap
Finding qualified talent to fill the cybersecurity skills gap has been difficult, ISACA survey respondents said. Just over half reported that applicants were missing soft skills, including communications, critical thinking, and problem-solving. The second-most-common skills lacking were in cloud computing, followed by security controls implementation, coding, and software development.
With good candidates hard to find, it is little wonder that many companies have turned to poaching cybersecurity professionals. Almost 60% of companies said that most professionals left a job because they were recruited by another firm. The other top pandemic-era reasons for leaving a job stemmed from poor financial incentives, limited opportunities for promotion or development, high work stress levels, and lack of management support.
Some employers pushed workers to return to the office last year, which may have led more people to leave. ISACA reported that more respondents this year cited limited remote-work possibilities and inflexible work policies than a year earlier. Labor shortages could increase, ISACA speculated, if employees leave jobs for better hours, while companies that support remote work may have an advantage in attracting qualified talent.
“There is a huge tension between employers and employees,” says Brandt. “Our challenges are self-inflicted gunshot wounds.”
And the generation gap only deepens the cybersecurity skills gap. “It’s not just about salary with this new generation,” Brandt adds. “What we are seeing is they want to unplug at the end of the day. They want balance.”
Filling the cybersecurity talent gap
As a result, to fill the cybersecurity talent gap, companies are broadening the pool of applicants to include those who did not graduate college. Only 52% of respondents say they now require a university degree, 6 percentage points less than a year earlier. And the percentage of companies that are offering cross-training to current employees interested in cybersecurity was up 2%. One benefit of cross-training is that employees already have some knowledge of the company and how it operates.
Nonprofits like NPower, which provides tech training to underserved communities, and the Cybersecurity Talent Initiative, which matches cybersecurity talent with businesses seeking to fill cybersecurity roles, are a key part of filling the future talent pipeline.
The number of respondents who have brought in consultants and contractors to fill workplace shortages increased 5 percentage points from a year earlier. Experts like Rebecca Herold, CEO of Privacy and Security Brainiacs, recently told Endpoint that outside help works best when they also train in-house workers.
Perhaps because of the shortage of trained workers, only 41% of respondents told ISACA they performed a cyber-risk assessment in the past year. The main reasons given for not doing frequent checks were a lack of time, cited by 43% of respondents, and a lack of trained personnel, cited by 40%. An assessment once per year is likely frequent enough, ISACA said, given how hackers rapidly change their attack methods.
While Brandt says that annual cyber risk assessments appear to be the norm, “there is a growing desire to shorten” the time between those risk assessments. An assessment, he says, is often viewed as a “big formal monstrosity.” An alternative to more frequent overall assessments should be threat hunting, the elimination of bad practices, and the implementation of basic cyber hygiene.
Despite today’s ongoing challenges, or perhaps because of them, Brandt believes there is a vital lesson to be learned by business and tech leaders. The pandemic and the war in Ukraine have shown that “every part of the supply chain is fallible, everything is subject to manipulation.” Knowing that, he says, “should inform better risk decisions.”
More resources on fixing the cybersecurity talent shortage