How the skills gap threatens to erode cybersecurity defences

Jamal Elmellas, Chief Operating Officer of cybersecurity recruitment consultancy, Focus-on-Security 

The shortage of skilled cybersecurity professionals is beginning to take a real toll on businesses. Globally, 63% having unfilled positions and a fifth saying it is taking them more than six months to find qualified cybersecurity candidates, according to the ISACA State of Cybersecurity report. But the implications of these businesses being shortstaffed has far more profound implications. A depleted security team means there’s less eyes and ears to defend the business.

The World Economic Forum has said that 60% would “find it challenging to respond to a cybersecurity incident owing to the shortage of skills within their team” and industry body ISACA has since found that 69% of those businesses that have suffered a cyber attack in the past year were somewhat or significantly understaffed, proving a direct link between the recruitment crisis and the security resilience of organisations.

Moreover, the Cybersecurity Skills Gap Global Research Report found 80 percent of organisations surveyed worldwide had suffered one or more breaches due to a lack of cybersecurity skills and 67 percent believed that the shortage of qualified cybersecurity candidates was creating additional risk.

Elevated risk

That risk is coming not just that from gaps in defences as those that are on the security team then become overstretched, compromising their effectiveness. The Voice of SecOps 2022 report found 91% of senior cybersecurity professionals reported feeling stressed and 45% had considered quitting the industry. In addition, over three quarters had taken on responsibilities they did not feel prepared for to fill the gap states The State of Security 2022 report.

What this translates to, in reality, is that the security team then has to prioritise tasks. Consequently, jobs such as risk assessment and management were sidelined by 48%, while shortages also lead to oversights in process and procedure (43%), and slow patching of critical systems (39%), according to an ISC(2) report.

To make matters worse, the prediction is for the skills shortage to deepen. The Department for Digital, Culture, Media and Sport (DCMS) has revised its estimates, predicting an annual shortfall of 14,100, up from 10,000. Only 7,500 enter the profession each year, of which 4,000 are graduates with the rest comprising those who have upskilled, changed career or come through apprenticeships. But those currently exiting the profession number between 4-7,000. The DCMS report claims 17,500 staff are needed every year, with demand growing on average 14% per annum over the course of the last five years, painting a bleak picture.

The (ISC)2 report puts this into context globally. It estimates there to be 3.4million vacancies in the sector and the workforce totals 4.7million, making a deficit of 42%. Regionally, the report found the skills gap leapt 73% in the UK last year. But it’s important to note that some roles are in more demand than others.

Where skills are scarcest

Middle management and senior roles with three years’ experience or more are particularly difficult to fill, according to the DCMS report, which is likely to cause issues over the next few years while new entrants cut their teeth and gain the necessary experience. But what specific fields are experiencing the highest scarcity?

The 2022 Cybersecurity Skills Gap report found half of organisations globally are looking for cloud security specialists, 42% Security Operations Centre (SOC) Analysts and Security Administrators and 40% Security Architects, while ISACA’s top five security skills are cloud computing, data protection, Identity Access Management, Incident Response and DevSecOps. If you’re experience in any of those disciplines, consider your job largely recession proof!

But the takeaway from all of this is that, in order to satisfy demand, we can’t simply rely on graduate intake; we have to encourage more users into the profession from related professions. Currently, nearly half of those now working in the profession under 30 years old came from a career outside of IT, according to the ISC(2), so it can be done. The problem is that as an outsider, it’s not been that easy to see how transferrable your skills are.

Career mapping

Thankfully, that’s all now changing with the standardisation of industry roles. The UK Cyber Security Council is developing its Cyber Career Framework covering 16 specialisms, detailing the job titles, knowledge and responsibilities as well as salary and these are also mapped to provide insights into how the professional can either progress up the career ladder or sideways into associated roles.

Earlier this year, the Council launched a Career Mapping Tool which aims to allow those with transferable skills to find out how they can get into the sector. It covers 19 cyber skills and asks whether the user is ‘unfamiliar’, has ‘some knowledge’ or ‘advanced knowledge’ in each of them. It’s fun to use and should help new entrants quickly establish where would be the best fit for them, as it delivers a compatibility percentage against three disciplines – Cryptography and Communications, Digital Forensics, and Secure System Development.

But we also need to do more to encourage those within the sector to stay which means improving retention through training and support. Automation can also help here, with new emerging technologies such as generative AI able to do much of the grunt work when it comes to documentation in governance, risk and compliance, for example. Plus, there are a wealth of tools that can be used to automate previously soul-destroying tasks associated with things like threat detection that could see analysts swamped with alerts.

HR has its work cut out

Ultimately, businesses are going to have to work harder in both their recruitment campaigns and on their retention strategies. Recruitment-wise, composing unicorn job descriptions will only see roles go unfilled for longer. Instead, look to broaden the scope by looking at and assessing soft skills (ie communication and problem solving) as well as technical ones. You can save time and effort by using the Cyber Career Framework to devise job descriptions that resonate with the market and don’t forget to include sweeteners such as on the job training and career advancement support. The (ISC)2 report found twice as many people would prefer a promotion over changing jobs so employees want to advance within your company.

Retention-wise, businesses can significantly improve their ability to hire and retain staff by developing an Employee Experience (EX) program, suggests (ISC)2, which discovered there was a direct correlation between the happiness of staff and staff shortages. Quid pro quo low EX can be harmful to the organisation.

EX is not difficult to achieve either, it basically means listening to and valuing the contributions staff make and making that known, yet most staff valued it above other perks, such as extra leave or recognising birthdays. However, EX is not adopted widely in cybersecurity today, with only 28% saying their organisation valued staff input and 35% that their organisation solicited feedback on their needs.

Revisiting both your recruitment and retention plans are therefore both advisable, particularly given recent developments in this area with career mapping, but make sure too that you partner with a recruitment agency that understands the sector. An experienced recruiter can help you refine your job description to attract the right candidate for the role, knows what candidates are looking for and understands the tolerances of the market when it comes to working practices and rates of remuneration.

Utilising all these avenues will be essential as the skills shortage deepens into a skills crisis and those businesses that are proactive in their recruitment and retention today, stand to gain by being able to secure the business and its assets tomorrow.

Recommended For You

About the Author: Michael O'Sullivan