Solution Spotlight: A first look at ISC2's 2024 Cybersecurity Workforce Study.
Dave Bittner: Hello everyone, and thanks for joining us for this N2K CyberWire Special Edition. On our "Solution Spotlight", N2K President Simone Petrella speaks with Andy Woolnough, ISC2's Executive Vice President of Corporate Affairs. They're discussing ISC2's 2024 cybersecurity workforce study. [ Music ]
Simone Petrella: Well, I am thrilled to be joined today by Andy Woolnough. Thank you so much for joining me today, Andy.
Andy Woolnough: Thanks for having me. I'm looking forward to it.
Simone Petrella: Yeah. So I want to start because ISC2, just in September, put out your annual "Workforce Study", or at least the first look of it, and before we dive into it, can you tell me a little bit about the history of ISC2 and doing these workforce studies and why it's so important for the organization to kind of have a finger on the pulse of global profession like you do today?
Andy Woolnough: Sure. I'm happy to. Thanks for the question. So very briefly, the "Workforce Study" is, I think, about three or four years old now. It was started by clever people before I joined, so I can just take the credit of their work.
Simone Petrella: They're not here to defend themselves.
Andy Woolnough: Exactly. So, as you know, ISC2 is one of the world's sort of largest sort of membership associations for cybersecurity professionals. And we thought it was really important for us to take an annual pulse check of how the profession is feeling about certain issues on a regular basis so that we can feed that feedback back into a number of places within our own organization in some of the professional education and learning and development tools that we offer our membership so we can feed it back into governments as they're thinking about policy, especially around important areas like AI, but also as they think about developing their workforce in cybersecurity as well. So we can feed it back into organizations who we work with, who are, you know, in financial services or in energy or government or wherever it is, so they can understand what's going on with cybersecurity professionals. But also, it's a really important benchmark for a number of tangential issues that we see in cybersecurity around things like burnout in the profession and the sorts of things that cybersecurity people are looking at. Things like investment in cybersecurity teams, both in career investment, but also skills training and development, what skills are important to cybersecurity professionals and hiring managers so we can try and match them up there. But also important topics like DEI and what the state of diversity and inclusion in cybersecurity is. So it tells us all of these things on an annual basis.
Simone Petrella: One of the things that I think, you know, really struck me this year was that the study indicated that this was the first year that the cybersecurity workforce growth has stalled with a relatively modest, if almost insignificant growth of like 0.1%. So we're kind of stuck at 5.5 million global professionals. What do you think are some of the reasons for that stagnation this year?
Andy Woolnough: Well, so what the recipients told us was, for the first year, it wasn't so much a lack of talent that they were seeing was stalling the workforce, but a lack of investment. And they thought that it was attributable mainly to economic conditions that we're seeing around the world. Now, it's important to note there was nuance within that. We didn't see stagnation throughout the globe. We measure a number of different countries and we look at sort of recipients, you know, from Australia all the way through Europe into Africa and to the United States. And, yes, large markets like the US, the UK were fairly stagnant and that's important to know that that's probably off quite a high base as well, you know, those are quite developed markets when it comes to cybersecurity in relative terms. Where we see a lot of growth was in some parts of Europe, in places like the Netherlands and Germany, but also in Australia. But big, big growth in places like Saudi Arabia and South Africa. And we think that that's down to the stance that governments and organizations are sort of taking in those markets to try and grow and develop their workforces. In Australia's case, it could be, you know, that they're part of the Five Eyes, they're quite close to China and other places like that, and so that could be taking a-- playing a role there. But the stagnation was, yes, you're right, very much sort of in the more developed markets, in the US in particular.
Simone Petrella: And I want to get back to some of the global perspective that you all have captured in this study because I think it is fairly unique. I don't know if I've seen many that do it really truly kind of as a survey across the globe. But at least as far as the US, I think it's very interesting because there's also information out there in our statistics today on the demographics and nuance of the cybersecurity workforce that support and bolster that hypothesis that it's not so much a lack of talent, but it's kind of where it's distributed. And so, we actually see a surplus for the first time in the US of, you know, cybersecurity talent at the entry-level, but then when you get to the mid and senior levels, that's actually where the gap continues to either hold steady or even increase slightly. So we're not doing a great job of like pulling people through, which, you know, to me indicates sort of some of that, what you're hearing from some of the respondents around maybe a lack of investment or some budget constraints or things like that.
Andy Woolnough: Yeah, I think that's right. And I think, you know, we talk a lot about attracting new talents into the cybersecurity workforce. And when you think of new talents, it doesn't have to be sort of graduate level, you know, young 18- to 21-year-olds. We're seeing a lot of recipients of our certified and cybersecurity entrance-level certification as being sort of 39, 40. And so, that suggests to me that, you know, people are getting so far in tangential or adjacent professions and then thinking cybersecurity looks really great, you know, I might want to try some of that. But you're right, I think then, you know, you're experiencing a lack of investment in the developments of that workforce to retain to retain them. I think, you know, what we found was we saw quite a lot of hiring freezes this year, so about 38% of our respondents are reported hiring freezes, 25% layoffs, 32% seeing fewer promotions. And by promotions, I think that sort of encompasses career development in general. So once you're in, I think there's a lack of sort of mobility and movement, in part due to a lack of investment from organizations. And I think in some respects, that could be down to a lack of, you know, awareness of what cybersecurity's role is in terms of business growth and development. Somebody once said, you know, "If you need a fast car, you need good brakes." And we always look at cybersecurity as being the good breaks to the fast car. It's an enabler of innovation, it's an enabler of growth. But I think a lot of the organizations see it as more of a compliance function. And I think the more that cybersecurity professionals can demonstrate with their sort of CFOs and the higher-ups that they are a critical part of the innovation cycle, of the revenue cycle, the better it will become for them and the easier it will be to them be invested in. But I agree, we're certainly seeing and what people are reporting back to us on is that lack of growth when they're in the profession. And I think also, I mean, you know, you would know this better than I would, but I think, you know, DEI comes into this as well in terms of, you know, women and people from sort of non-traditional pathways into cybersecurity getting in and feeling that their pathways may be a little bit blocked because, you know, cybersecurity doesn't quite know how to grow and develop those kinds of people as well. And so, I think that plays a big role in everything we're seeing.
Simone Petrella: Yeah. You know, it's impossible for me to not think, especially when we kind of compare where the US is, where the rest of the globe is as you did this survey. How much do you think kind of government advocacy, legislation, and kind of government just initiatives in kind of driving, putting a priority on this is impacting how we actually view the profession, its evolution, versus it kind of self-constructing itself? You know, we put a lot of onus on the profession and be like, "Yeah, like, make sure that we know that everyone takes this seriously and it's part of the revenue and we're the good brakes and everyone can go faster." But, you know, many times I think that's a hard sell at the boardroom level. And we tend to have more sticks than we do carrots.
Andy Woolnough: Yeah, I think that's right. I think it's-- I think partly it's around the skills cybersecurity people want to develop. So within the study, this shouldn't be interpreted-- what I'm about to say shouldn't be interpreted as a lack of ambition or career development, but cybersecurity people, a lot of them came back and said, "Look, we're not necessarily interested in promotion. We're not necessarily interested in, you know, getting that senior title or becoming a CISO, or whatever it is. Our great skill is-- our love is the job. It's developing, you know, the systems and almost the intellectual kind of cut and thrust of keeping an organization safe, detecting threats, understanding algorithms, looking at really clever ways to stop very clever people doing very damaging things. And that seems to be what drives a lot of people coming into cybersecurity. And then when you say, "Oh, by the way, you're stressed, you're burnt out, you don't have a lot of resources, now go and manage those 25 people and write loads of reports and live in Excel." That doesn't seem to be a particularly high motivator for a lot of cybersecurity professionals. And so, one of the skills, I think, that is lacking within the profession is that ability to contextualize cybersecurity within the business and as a business driver. And so I think, you know, that's an area that if you want more investment, you've got to be able to convince the CFO. It's as simple as that. And if you're not convinced in the CFO, then you're not going to get very far. And so I think, you know, If there was one area that I think cybersecurity people could really sort of look at and demonstrate that they've got an awareness of is that ability to contextualize what they do, you know, how it's going to help support revenue growth, how it's going to, you know, develop a long-term work plan that can bring more talent in at the right levels, and then automate systems through AI or whatever it is so that you can actually reduce the budgets and do everything you wanted to do, but on better terms for the business. So I think it's about having those kinds of conversations to help support the inward investment to cybersecurity teams.
Simone Petrella: Yeah.
Dave Bittner: We'll be right back. [ Music ]
Simone Petrella: One of the things that I know came out in the first look of the study was around the shortage of key skills, but maybe more interesting was the divergence between what professionals see as some of the major skills gaps or shortages versus maybe what HR departments organizationally view as the key skill divergences. Can you highlight maybe a few of those discrepancies? And then maybe my second part would be, you know, and for those who are members of ISC2 or who are considering being members, like, what are some of the areas that you view being most critical from a skills development perspective for the cyber profession?
Andy Woolnough: Yeah, so I think there was that disparity between what hiring managers and hiring, you know, the HR teams wanted and what professionals thought were important. The professionals themselves thought that communication skills, cloud computing skills, AI skills, and GRC were among the most important, whereas hiring managers prioritized -- yes, they prioritized communication skills, maybe a little bit less, but it was still important. But cloud computing, AI, and GRC were really, really low. And so, what that says is that, you know, the disconnect means that what's coming into the organization and what's being looked for isn't necessarily going to fit in automatically with the teams that are receiving those skill sets. We haven't gone too deeply into why that is happening because that would involve then also surveying HR teams, and so on. So, we're not doing that at the moment. But what it demonstrates is there needs to be a much greater alignment between, you know, the hiring functions and talking to the individuals within those teams and finding out what they're dealing with and the areas they feel that they are lacking in order to then go and hire the right kinds of mixes. You know, they're still getting the cloud computing skills in. It's just maybe not to the right level or the right volume that they're requiring. And that's putting more stress on the existing teams who are having to sort of cover those shortfalls while also being told, "Well, we've hired, you know, what was the problem?" So, I think there needs to be that sort of more tight alignment between what the teams themselves are saying and the HR process.
Simone Petrella: Totally fair. I also think we've won the record for going the longest on a cybersecurity podcast without saying the term AI. So I'll jump on it now. I know, can you believe it took us this long?
Andy Woolnough: I think I've said it. Sorry.
Simone Petrella: But, you know, while we're on it, how do you view some of the emerging innovations in AI and automation, and what impacts do you think that they'll have on the cybersecurity workforce over the next few years?
Andy Woolnough: Yeah, it's-- we're at the foothills of AI within our own organization and also sort of measuring its impact. And I think that's largely because I think a lot of organizations are. You know, we're seeing the full range of organizational stance on AI. You know, a lot of organizations are really rapidly adopting it, and it's almost like a bit of a free-for-all. Some organizations are sandboxing it and looking at it within certain environments in order to sort of control it and some are sort of waiting to see. So, the organizational stance is quite varied and then the cyber teams within that have to make sense of that. I think what cybersecurity professionals are saying to us is that they see both threat and benefit from AI. So, it is a tool, and as a tool, it has its utility and it can also be misused and it can be used. And I think how different groups are using it and misusing it depends on the situation. I think what we're being told by the professionals themselves is that there needs to be a very clear organizational policy. And if we can start to put some policy ethical use cases and guidelines around the use of AI that fits the organization and its industry and its risk appetite, then that will make it easier for the cybersecurity teams to start to administer it. So, I think that they're seeing it very much in the very logical way that cybersecurity people see things. You know, it is a tool, it needs policies, we need to have an ethical use case around it. And they should be involved in that, but it's not just their decision. You know, the business as a whole needs to have a point of view about AI, especially around its ethical use. And that needs to be based on its risk appetite and the industry it's in. And if that's not coming down from the board or from the management team, then it's very, very difficult for cybersecurity people to manage it. So I think -- so those are some of the things we're sort of hearing back as AI develops.
Simone Petrella: You know, one of the things, and maybe the last question I'll leave us with because I think it is related to your answer. I have been so impressed over the last few years, in particular, ISC2 has been very adamant about really proclaiming and moving away from the term "cybersecurity industry", which is someone who grew up in the space is what we kind of refer to ourselves as being in the industry, but now to sort of evolving into it's "we're part of a profession." And so, what you're describing in kind of like those codes and the ethics and kind of what governs as some of these new technologies come out, I guess my kind of parting question is, where does ISC2 see itself really sitting in relationship to its membership, the professionals, and then the organizations and the governments that are grappling with how to kind of systematically address some of these issues whether it's with the workforce, the advent of AI, you know, but anything else that affects like our cyber security in general.
Andy Woolnough: Wow, a great question.
Simone Petrella: I'm leaving you with a big one.
Andy Woolnough: Thank you. And my-- I've suddenly got agoraphobia because my answer can go in all sorts of different directions and it's probably not even going to cover half of it. So thank you for that hand grenade at the end.
Simone Petrella: No problem.
Andy Woolnough: I love that question. So you're right. I think, it's a prof-- you know, it's got to be seen as a profession. And, you know, if you look at risk and compliance at the board level, you know, you can't move for financial managers, legal managers, but where are the cybersecurity people? And data and information is so critical to every organization, it's more important than anything else. And there are so many sort of risk points that it can be misused and leak, and what have you. And so, I think, you know, the recognition that cybersecurity and information security, you know, plays that critical role in the organization, I think, is slightly lacking. You know, there's very little cyber experience at the board level across the industries. So I think that is a problem. And also, you know, I think-- I was talking today to another conversation I was having, and, you know, it occurred to me that cybersecurity is a little bit like air traffic control. In that, you know, it is a high stress. It's so much relies on cybersecurity to get it right. And when it goes wrong, it can go really, really wrong. And that comes with burnout, that comes with stress, that comes with, you know, a high degree of training, a high degree of technical expertise. You know, it really does need to be recognized as the profession it is. And then sort of frameworks put around that in a much more defined way that controls sort of who can get in, you know, without lowering-- keeping the gate broad, without lowering the standards is something we're all trying to do. But then help. You know, there is-- if you look at the law, legal profession, there's any number of structures in place, you know, codes of ethics and training and degrees, and, you know, lawyers, barristers, solicitors, they're very, very supported in their profession. They have, you know, sort of liability insurance. They-- you know, it's a very, very well-tried and trusted risk profession that is hundreds of years old. And I think the sooner we can get to somewhere near that for cybersecurity professionals, the better. And that involves organizations like ours, you know, pushing the agenda and making sure that, you know, governments and other organizations recognize that. The UK's chartering cybersecurity professionals at the moment, which is again, another step in the right direction of ensuring that cybersecurity professionals are recognized, their work to get to where they got to is very, very important, and therefore, they have obligations, but also they have resources that they can benefit from and support they can benefit from. And organizations like ours that need to pull together things like global codes of ethics, and, you know, we've got all these members who are very willing and able to volunteer for us, so what they think matters, and that should all go into those, you know, ethical canons. And then, you know, yes, the work that governments are doing. You know, we have a very sort of strong advocacy which works with governments across the world to try and have these conversations to help the profession be sort of put up there with accountancy, with financial services, with legal, as a very high value and very well-respected, you know, professional standard. Sorry, that was a bit of long-winded. I tried to sort of pull all the thoughts I had together into one kind of package.
Simone Petrella: No, well done.
Andy Woolnough: Thank you.
Simone Petrella: I know I threw you out there with the last one. But, Andy, thank you so much for joining. If you, you know, want to go check it out, ISC2's 2024 "State of the Cyber Security Workforce Study" is out now. Do you want to throw a URL that people can go access the study or where can they go?
Andy Woolnough: The first look is out on our website. We're actually releasing the full study after Congress, which is next week. So we have our annual Congress in Las Vegas next week, and then the study is being launched after that. So we'll make sure we send you a copy.
Simone Petrella: Wonderful, we're looking forward to it. Thank you so much for joining, Andy.
Andy Woolnough: Thanks for having me on, it was great fun. [ Music ]
Dave Bittner: That's N2K's Simone Petrella, along with Andy Woolnough from ISC2, he's Executive Vice President for Corporate Affairs. You can find a link to ISC2's 2024 "Cybersecurity Workforce Study" in our show notes. Thanks for listening. We'll see you here next time. [ Music ]
