A recent report and panel discussion by the International Information System Security Certification Consortium concluded that the technology industry urgently needs more cybersecurity professionals — but significant barriers persist.
The 2024 ISC2 Cybersecurity Workforce Study, which includes responses from 15,852 cybersecurity practitioners and decision-makers globally, found that 90% of respondents face skills shortages within their organizations — particularly in areas such as AI, cloud computing, security, and zero trust implementation.
Some of these shortages can stem from mismatches between what job seekers want and what potential employers offer. The common joke about “entry-level jobs with five years of experience” can be a reality, said Brandon Dunlap, Gartner’s senior executive partner in security and risk management, during the panel discussion “Bridging the Gap: Challenges in the Cyber Workforce” on Sept. 10.
Globally, the workforce gap in the cybersecurity profession sits at 4.8 million, ISC2 reported. That is a 19% shortfall between the roles organizations need to secure their systems and the professionals available to fill them. However, some countries, such as Canada, Brazil, Mexico, the Netherlands, and Spain, have seen the gap decrease. (ISC2 notes that this number doesn’t necessarily match the number of open job positions.)
These challenges can prevent companies from filling open positions or make it difficult for job seekers to find suitable roles. Defining cybersecurity positions can be particularly challenging for HR teams. Referring to “cybersecurity” as a blanket term is like saying “medicine” without specifying the type of doctor, said Simon Salmon, ISC2 instructor and head of IT at Nottingham City Council.
“You have to have some real deep conversations with your recruiting and staffing folks about what it actually takes to hire the right talent,” said Dan Houser, chair of the ISC2 board of directors.
Many organizations focus on hiring mid- to advanced-level roles, reflecting a lack of pipeline development for foundational skills. Of the organizations surveyed:
There’s also an issue of companies failing to offer competitive salaries, noted Houser. Cybersecurity jobs tend to come with a salary bump compared with other IT positions, but some HR departments don’t account for these expectations in their listings. Government positions, in particular, often struggle to match private-sector pay.
“Part of the challenge we’re seeing is not that there isn’t available labor — it’s available labor at a reasonable rate,” Houser explained.
To attract cybersecurity talent, companies must offer fair compensation, foster a respectful and collaborative work environment, and ensure employees feel appreciated and able to make meaningful contributions, according to Lisa Young, vice chair of the ISC2 board of directors.
As she asked, “How much time do businesses ever say thank you for anything we do?” This is particularly a problem in cyber security because “one of the measures of success is something bad didn’t happen,” she said. “If we’re doing our job well, it’s often transparent.”
Once professionals rise the ranks, job satisfaction typically remains high, which helps to retain them. But nearly one-third of participating organizations reported having no entry-level cybersecurity workers.
Larger companies are more likely to offer entry-level and junior positions (1-3 years of experience), but most organizations still focus on hiring mid- to advanced-level roles. This approach may contribute to the skills gap by failing to develop a pipeline of workers who can eventually fill senior roles as more experienced workers retire or otherwise leave the organization.
SEE: Why Your Business Needs Cybersecurity Awareness Training (TechRepublic Premium)
Dunlap said other factors that can support cybersecurity job growth include:
Continuing professional development is crucial, as the field of technology evolves rapidly, Young said. Ongoing learning can help professionals acquire the skills needed to address the technical gaps identified by ISC2 — including AI/ML, cloud computing security, zero trust implementation, digital forensics, and application security, which sit at the top of the list.
Conversely, the report highlighted a disconnect between perceived and desired AI skills: 23% of cybersecurity professionals think AI/ML skills are in demand, while 12% of hiring managers are looking for those skills for cybersecurity roles.
Vocational schools or community colleges can be rich pipelines for cybersecurity professionals, Dunlop said.
Salmon works on a program that identifies teenagers with the soft skills needed in cyber security — “an aptitude for learning, good customer-facing skills, being personable and being able to turn up” — and trains them on the technical skills.
“We very quickly found the people being left behind were people with neurodivergent diagnoses or people with dyslexia, and what we found amazing was they are the people who excelled,” said Salmon.
“You can address the shortage if you are appropriately inclusive,” said Salmon.