Home
Story
Is the cyber talent ecosystem broken?
Is the cyber talent ecosystem broken?
N2K logo1 hour ago

Like what you read and curious about the conversation? Visit CISO Perspectives to get further insights into this topic. CISO Perspectives is a weekly column and podcast where Kim Jones explores the evolving landscape of cybersecurity leadership, talent, and risk—because success in cybersecurity is about people, not just technology.

Is the cyber talent ecosystem broken?

Listen to the audio version of this story.

Welcome to the CISO Perspectives Weekly Briefing, where we break down this week’s conversation, providing insights into relevant research and information to help you further understand the topics discussed.


At 750 words, this briefing is about a 5-minute read.

The cyber workforce shortage.

While cybersecurity rapidly expands, the industry is plagued by growing skills and workforce gaps. Each of these issues has cast serious doubts on the industry’s sustainability. 


Currently, cybersecurity is stuck in a challenging paradigm where the industry has a growing global need to attract new talent but, at the same time, is unwilling to train new and develop entry-level talent. To start with the workforce shortage, a 2024 cybersecurity report, published by the Global Cybersecurity Forum and BCG, analyzed this issue by surveying 6,000 respondents across the globe. The report highlighted the following conclusions:

  • 59% of surveyed CISOs state that this workforce shortage is a “top barrier for achieving their security posture.”
  • Projections suggest that the workforce shortage will be a key factor behind more than 50% of cybersecurity incidents worldwide.

Additionally, the report highlighted that these shortages can be attributed to numerous reasons, including:

  • Lack of qualified candidates.
  • Salary expectations are higher than the offer.
  • Competition from other organizations.
  • Below-market-rate salaries.
  • Lack of an organization’s presence in the applicant’s country.


ISC2’s 2024 Cybersecurity Workforce Study echoed similar findings. In this report, ISC2 commented on this workforce's struggles, assessing how the workforce gap is growing while job satisfaction is declining year over year (YoY). More specifically, the report found the following:

  • The size of the workforce gap is around 4.8 million globally (up 19% YoY).
  • The estimated workforce need is 10.2 million globally, with the active workforce estimated to be around 5.5 million globally.
  • This global need increased by 8.1% YoY; however, the active workforce size only increased by 0.1% YoY.

Outside of a growing need for more cybersecurity professionals, ISC2 also found that the profession is under growing pressure to maintain safety with fewer resources. For example, ISC2 found the following results:

  • 39% stated they lacked the necessary security budget.
  • 25% observed layoffs, which is up 3% YoY.
  • Nearly 33% have seen fewer promotions, representing a 6% increase YoY.


Through both the Global Cybersecurity Forum’s and ISC2’s workforce reports, we can see a worrying trend emerging in cybersecurity. This trend highlights how organizations worldwide are cutting resources for cybersecurity at a time when demand has never been higher nor more impactful. In addition to not having enough resources and personnel to effectively manage cybersecurity, another key problem has been the growing skills gap in cybersecurity.


The growing skills gap.

In addition to not having enough people working in cybersecurity, another issue is related to the ever-increasing skills gap. While significant staffing issues are contributing to these skills gaps, another aspect of this issue is related to hiring practices.


While multifaceted, one key contributor to this skills gap relates to hiring managers and potential candidates prioritizing different skills. The same ISC2 report mentioned above found that while there was an overlap in prioritized skills, there were notable differences when prioritizing technical skills.


For greater detail, ISC2 found that hiring managers prioritized soft skills such as:

  • Problem-solving abilities
  • Communication skills
  • Teamwork and collaboration
  • Eagerness to learn

Whereas cybersecurity professionals stated that technical skills like cloud computing and machine-learning skills were just as important as key soft skills.


However, this problem extends beyond hiring managers and candidates having a disconnect between prioritizing skills. 


ISC2 also found that numerous organizations had no entry- or junior-level professionals on their security teams. More specifically, ISC2 found that of all the organizations they surveyed, 31% had no entry-level professionals on their teams, and another 15% had no junior-level positions. Furthermore, this issue is further exacerbated by 62% of hiring managers having open roles exclusively for mid to senior positions rather than attempting to prioritize a mix of skills and experiences.


Due to these workforce challenges, there is a growing concern about whether the industry will be able to handle the challenges of tomorrow when it is already struggling to handle the challenges of today. However, as evidenced by hiring managers' preferences and from the conversation on the podcast, new candidates do not need to possess a technical background to be successful in cybersecurity. By understanding how organizations are changing their preferences and being able to demonstrate soft business skills, candidates will be able to adjust to how the market is engaging with the talent ecosystem.