The threat landscape is more challenging than ever, and the cybersecurity workforce is dogged by overwork and burnout. No wonder there's a cybersecurity talent shortage. Or is there?
The most recent numbers from (ISC)2, from last year, show that the cybersecurity global workforce reached 5.5 million. That’s up by 9% over the year before. At the same time, (ISC)2 found that the number of cybersecurity workers needed to fill open roles and pent-up demand for work grew at a faster rate — 13% — and reached a high-water mark of 4 million cybersecurity professionals needed worldwide.
The traditional narrative is that there are simply not enough qualified candidates out there to fulfill cybersecurity’s need for productive technical workers. But over the past couple of years, the zeitgeist on this matter has started to shift. Many security and recruiting veterans are starting to believe that there are plenty of good candidates on the job market eager to fill these roles.
Workforce pros say the security world is simply doing a terrible job of recruiting and that what's needed is a less rigid mold for what an ideal candidate looks like. Grant Collins, infrastructure security engineer at Indeed and manager of a professional development community called Cyberacademy, said that while many people talk about a cybersecurity skills shortage gap, the truth is very different.
“It's more of a hiring and talent gap that often isn't talked about.”
—Grant Collins
Cybersecurity analysts are often called on to do a root-cause analysis of a breach. So to make the issue relatable, Collins said, let's start thinking of the hiring gap in terms of root causes. Here are the key reasons companies can’t or won’t fill their security positions even with talented folks out there looking for work.
[ See Article: 5 SecOps automation challenges | Get Report: How Automation Bridges the Security Skills Gap ]
1. Security job descriptions and job postings turn people off
One of the biggest problems that is hampering companies' ability to recruit and cast a wider net for applicants who could do great work is that job descriptions and job postings are not specific.
“We have these job descriptions that make no sense and are really turning off people and really sending the message that that's not a place to work. So even though I'm looking, I'm not going to apply there because that job description is three jobs,” said Deidre Diamond, founder and CEO of recruiting firm CyberSN.com.
One of the big issues is that many descriptions and postings describe roles, responsibilities, and job requirements by just cutting and and pasting not thinking through them well, Diamond said.
“We’ve got to own this stuff, and there are a lot of things [in recruiting] that we’re just doing wrong. Defining roles and responsibilities is one of the things that we fail at most. A job description should be a measurable agreement in terms of what somebody is doing.”
—Deidre Diamond
2. Hiring managers and internal recruiters are too hung up on certs
When job descriptions and postings aren’t well conceived, companies end up setting up laundry lists of job requirements that immediately exclude a vast swath of worthy candidates who may not necessarily check every box. In a lot of cases, there’s a discrepancy between what a company recruiter says has to go into the posting and what the security team actually wants, Collins said. For example, many firms get hung up on certifications or years of experience with a particular technology.
In a recent video on the myth of worker shortages, Collins said that companies often just list a set of technical skills or certifications they found online,. Then, he said, they can say, "If you don't have the certification or experience, then you're out of this process.”
This not only tunes job platform algorithms to automatically cull many viable candidates, but it also keeps job seekers from even applying, he said.
“You may be eager to learn, adapt, and grow into a role. ... Ultimately, all of this comes down to an expectations gap between recruiters and job seekers.”
—Grant Collins
3. Many positions don’t really require degrees
There’s a similar expectations gap when it comes to degrees. According to Fortinet’s 2024 Global Cybersecurity Skills Gap report, some 71% of companies today require four-year degrees for their security positions. But the fact is that many of the best in the security business don’t have a four-year degree and don’t need one to do great work as security analysts, coders, and more.
Mike Paez, technical trainer for the Fortinet Training Institute, said this overlooks potential talent from nontraditional backgrounds such as bootcamps and self-learning.
“Adjusting these requirements and incorporating them into existing programs like apprenticeships or trained-to-hire could significantly expand their talent pool.”
—Mike Paez
Organizations that loosen their requirements could start pulling in a wider range of candidates from underrepresented groups such as women, minorities, and veterans.
Not only would that make the talent pool deeper; it would also bring in a more well-rounded set of perspectives and approaches to security problem solving. And the survey showed that hiring talent from underrepresented groups has slid in recent years.
“[Broadening hiring is] a huge missed opportunity and something that organizations should look to address moving forward."
—Mike Paez
Fortunately, there’s some positive movement on this front. The federal government recently rolled out a program to loosen degree requirements for certain types of cyber-employees.
Seeyew Mo, assistant national cyber director for the White House's Cyber Workforce Directorate, said a whole classification of employees in the federal government can now be hired based on their skills regardless of how they acquired them.
“What we wanted to do is to send a signal to the community colleges, to universities, to private employers to sort of say that if we can do this, you can do it too."
—Seeyew Mo
4. Nobody wants to hire entry-level cyber-workers
When it comes down to it, organizations are going to have to do a better job of building out their talent pipelines. The real shortage that many organizations face is in finding cybersecurity unicorns — folks with a degree, all the certifications, and years of experience. These people are in short supply — and they always will be.
The problem is that even when someone has both degrees and certs, many companies are still unwilling to hire them without several years on the job, said Jennifer Mathis, vice president of career training at cybersecurity training firm ACI Learning. She said her firm is always looking for ways to help students overcome that hurdle for their first job.
"Every day we are trying to figure out how do we hack that requirement."
—Jennifer Mathis
She explained that hiring managers need to be advocates within their organizations to rethink entry-level requirements for those coming in fresh — perhaps by selling an "upskilling" pathway of training and apprenticeship to ensure beginners' success in quickly growing into their roles.
5. Hiring managers and recruiters discount career pivoters’ experiences
Organizations could also broaden their candidate pool by considering years of business experience as a part of their evaluation process and thus include potentially talented career pivoters in their search, said Ron Culler, vice president of cyber-development programs for CompTIA. This could be all the more fruitful if such talent is recruited from internal staff who work outside the cybersecurity department, he said.
“It's easier to hire somebody at a service desk or a network admin position than it is to find someone in a cyber role. A new program and new people sounds a little scary for companies, but if we talk about an upskilling apprenticeship program with current employees, it reduces the risk a little bit."
—Ron Culler
This can prove especially useful for cyber-adjacent employees in other parts of IT who may even have relevant tech skills but just need a bit of additional training to get up to speed on cybersecurity-specific skills. The big advantage is that they have invaluable institutional knowledge that can take years to attain. “If you've got somebody sitting in your organization, in a service desk, a network admin, or a systems admin role who has that institutional knowledge and you can incentivize them into the career, then backfill those jobs with them,” Culler said.
The answers: Mentorship, apprenticeship, training — and better salaries
Ultimately, whether you blame a skills gap, a talent gap, or a people shortage, security teams really are stretched thin at many organizations. On an employer-by-employer basis, there’s simply no shortcut to the problem. At the end of the day, more organizations need to invest in a combination of strong mentorship, apprenticeship, and training to strengthen their cybersecurity workforce pipeline for the long haul.
And one thing is clear, experts say: Organizations are going to need to pay folks more. A 2024 SANS GIAC Cyber Workforce Research Report said the No. 1 hiring challenge still remains salary competitiveness. The report suggests that there’s not necessarily a shortage of workers but rather a shortage of people willing to work for peanuts.
