ISACA’s State of Cybersecurity 2022 report was published earlier this week, and it’s not looking too good for us good guys.
For the third year in a row, the cybersecurity labor shortage looms large as the main focal point, casting its long, grim shadow across most of the report’s 40-plus pages. And even when the labor shortage isn’t front and center, you can still see effects of its influence; from skyrocketing future hiring demand (page 13), to driving retention difficulties (page 19), to creating barriers that limit cybermaturity efforts (page 35).
It’s clear that the labor shortage has created a tipping point in our industry, and the data proves it.
At the Edge of a Precipice
Of the 2,031 cybersecurity professionals surveyed, only 34 percent say their team is appropriately staffed (no change), and 63 percent of cybersecurity teams have at least one unfilled position (+8 percentage points from last year). These vacancies remain open for quite some time as well; 63 percent say it takes longer than three months on average to fill (+3 percentage points from last year).
The dearth of experienced cybersecurity professionals will not abate anytime soon. Rather, it is predicted to be markedly worse in coming years. Indeed, an aging workforce means we are only two to three decades out from a mass exodus in our industry; 83 percent of the workforce is older than 35.
“An aging workforce means we are only two to three decades out from a mass exodus in our industry; 83 percent of the workforce is older than 35.”
I am neither the first nor the last to stress the importance of increasing the volume of experienced professionals in cybersecurity. A growing number of individuals, organizations and government agencies have all joined in the call for hiring more entry-level security talent. We are now standing at the edge of a precipice, and before us lies a decision. Do we continue our current course and walk off the edge? Or do we reach down and raise those that will replace us? Do we finally acknowledge the dire need to build the next generation?
A Cautious Optimism
We have almost everything at our disposal to hire more people. Not only are there thousands of candidates ready, willing and able to begin a career in cybersecurity, we also, for the first time in three years, have the money to hire them.
More than half (55 percent) of survey respondents expect budget increases; a record 42 percent say that their organization’s cybersecurity budget is appropriately funded (+5 points from last year). Notably, the percentage of cybersecurity budgets that are expected to decrease fell an astounding 12 points, from 20 percent in 2021 to 8 percent in 2022. It remains to be seen, however, exactly how this additional money will be spent.
Where Do We Go From Here?
As society emerges from the ashes of the COVID-19 pandemic, the cybersecurity industry finds itself caught in the fire of another crisis, but one of our own making. Not only are we understaffed and overworked, we are stagnating our organizations’ cybermaturity efforts; 40 percent of respondents say their organizations are unable to conduct cyber risk assessments due to personnel shortages.
But personnel shortages are not due to a lack of qualified candidates; it’s simply because our current definition of “qualified candidates” is wrong.
“Personnel shortages are not due to a lack of qualified candidates; it’s simply because our current definition of ‘qualified candidates’ is wrong.”
While 55 percent of survey respondents believe that candidates are “not qualified” due to a lack of “prior hands-on experience” and “credentials,” an almost equal number (54 percent) agree that the biggest skills gap for candidates are their soft skills, not technical skills.
Something clearly doesn’t line up here. This is six of one, half a dozen of another.
If we are to solve the cybersecurity labor shortage, we must hire more people at the entry-level. We must invest in the next generation. We must train them and show them what good information security practice looks like.
Because once we leave, who will be left?
About the author: Naomi Buckwalter, CISSP CISM, is the founder and Executive Director of Cybersecurity Gatebreakers Foundation, a nonprofit dedicated to closing the demand gap in cybersecurity hiring. She has over 20 years' experience in IT and Security and has held roles in Software Engineering, Security Architecture, Security Engineering, and Security Executive Leadership. As a cybersecurity career adviser and mentor for people around the world, her passion is helping people, particularly women, get into cybersecurity. Naomi has two Masters degrees from Villanova University (Computer Science and Technology Management) and a Bachelors of Engineering from Stevens Institute of Technology.
