For the second year in a row, the global shortage of cybersecurity workers has eased, but it's still not time to celebrate, much less relax.
The decline from 3.12 million to 2.72 million unfilled job openings was reported in October by (ISC)², the world's largest nonprofit association of certified cybersecurity professionals, in its annual Cybersecurity Workforce Study.
However, the study shows that the cybersecurity workforce gap increased in every region in the world except the Asia-Pacific region. Even at that, Asia-Pacific still had a workforce gap of 1.42 million, the largest of any region in the world.
The data suggests that slower-than-expected economic recovery from the pandemic in the Asia-Pacific region and COVID-19's effect on small businesses and critical sectors such as IT services—a major cybersecurity employer in the region—is contributing to the relative softness in demand for cybersecurity professionals there compared to North America, Europe, and Latin America, the report said.
The study estimated that there are 4.19 million cybersecurity workers in the world, based on surveys and an array of secondary sources. Year over year, that's an increase of 700,000 workers.
"Any increase in the global supply of cybersecurity professionals is encouraging, but let's be realistic about what we still need and the urgency of the task before us," (ISC)² CEO Clar Rosso said in a statement. "The study tells us where talent is needed most and that traditional hiring practices are insufficient," she continued. "We must put people before technology, invest in their development, and embrace remote work as an opportunity.
"And perhaps most importantly," she added. "organizations must adopt meaningful diversity, equity, and inclusion practices to meet employee expectations and close the gap."
Shortages can lead to larger problems
The shortages can be connected to increased risk for companies. "As a result of not being fully staffed, systems are being misconfigured," (ISC)²'s Rosso said in an interview.
"There's not enough time for proper risk assessment and management. Organizations are slow to patch critical systems. Oversight of process and procedures is at a lower level than it should be. They are unable to monitor and find threats against the organization.
"What's interesting about those items," she continued, "is they align directly to the reported reasons why organizations have data breaches or are subject to ransomware attacks."
Job satisfaction still high
Contrary to some media reports and the experience of recruiters in the trenches, (ISC)² maintained that cybersecurity workers are largely highly engaged and satisfied with their jobs.
Cybersecurity is anything but predictable, and that dynamism and the challenges it presents may be why many successful cybersecurity professionals overwhelmingly report happiness with their jobs.
In fact, the report added, those currently in cybersecurity roles have consistently expressed very high levels of job satisfaction over the last four years, and they reported sharply higher satisfaction in the last two.
For 2021, this includes the highest satisfaction figures ever reported—77% of respondents reported they are satisfied or extremely satisfied with their jobs—significantly higher than the 66% reporting that level of satisfaction in 2019.
Those long-term job satisfaction numbers, though, may not reflect what's happening in the near term.
Work-at-home a major factor
"In the last 90 days, the number of people that have moved to jobs in cybersecurity is five times higher than we've ever seen during any 90-day period," said Deidre Diamond, founder and CEO of CyberSN, a cybersecurity staffing firm.
"For the last 90 days, massive resignations have gone on," she said. "Companies started messing around with whether they were going to stay remote, even though they were being told no one wanted to go back to the office. The minute companies started getting wishy-washy, people started to leave."
Those sentiments were also reflected in the (ISC)² report, which found that only 15% of the global cybersecurity workforce had any desire to return to the office full time.
"The possibility of being in the office [only] a couple of days a week can be quite appealing to security teams," said James McQuiggan, security awareness advocate at KnowBe4, a training provider. "They appreciate the option of working from home or being in the office," he added.
On the other hand, the increase in remote workers also has a downside for security pros. "A year and a half of remote and hybrid work has translated into an expanded attack surface—more workers are engaging in lax security practices across both work and home networks," explained Nick Kolakowski, senior editor at Dice Insights, a technology employment news and information website.
Making matters worse was the suddenness of the changes, added Josh Drew, regional director at Robert Half Technology in Boston. "The transformation happened all at once, making it extremely difficult for cybersecurity professionals to keep up and handle the bandwidth," he said.
Pandemic drives burnout
According to CyberSN, the pandemic appears to be contributing to an increase in resignations in the cybersecurity field. Since the beginning of the pandemic, resignations have increased 20% on the US East Coast and 18% on the West Coast.
Those resignations seem partly attributable to the pandemic, suggests a comparison of results of surveys conducted by CyberSN pre-pandemic and now.
Pre-pandemic on the East Coast, the major reason given by security pros for leaving their job was lack of growth opportunities (30%), followed by low salaries (30%), poor culture (25%), and lack of training (15%).
Now, more than 20 months into the pandemic, a lack of growth opportunities remains in the top spot (40%), but two new issues have emerged: the desire for remote-only work (30%), and burnout and work overload (20%). Poor culture dropped to 10%.
Surveys of West Coast workers had similar findings. Pre-pandemic, a lack of growth opportunities was the prime factor for leaving a post (40%), followed by poor culture (25%), lack of training (20%), and low salaries (15%).
Now the top reason for resignations is burnout (30%), followed by full-time remote work (20%), a lack of growth opportunities (20%), poor culture (20%), and acquisition concerns (10%).
"Burnout used to be a secondary reason for leaving a job," CyberSN's Diamond said. "Now it's a primary reason. People want to go places where the organization knows how to do security at scale."
"It was bad enough when one person had to do two jobs," she added. "Now they're being asked to do four jobs."
Closing the gap
Still, interest in cybersecurity jobs remains high. According to online jobs board Indeed, cybersecurity jobs and interest in them grew from October 2020 to October 2021. During the period, cybersecurity-related job postings increased 14% on the platform, it noted in information provided to TechBeacon, and searches for cybersecurity-related roles jumped by 16%.
Robert Half's Drew added that from a local perspective, there's still a shortage of qualified candidates in the cybersecurity space. "Right now, in the US, unemployment rates for an information security analysts are 0.8%," he said. "To put that into context, the national unemployment rate is 4.8%."
Drew identified three methods companies are using to address workforce shortages in the cybersecurity field:
- Increasing the training offered to existing employees
- Promoting career paths to give existing workers a crack at building their skill levels and responsibilities, including training entry-level candidates
- Using third parties to fill in manpower gaps
Entry-level challenges
Accepting entry-level candidates continues to be a problem for the industry, Diamond maintained. "What I'm seeing is entry-level people in great numbers struggling to get in," she said. "It's taking six months, a year, and they're having to take other jobs while they're pounding the pavement."
(ISC)², for its part, is moving to address the entry-level problem. "We have under development an entry-level certification that is designed for individuals with no background in IT or cybersecurity," Rosso explained.
It will be a steppingstone to CISSP certification, she said, and will be launched in early 2022. The CISSP certification is designed to validate information security work experience and a working knowledge of security principles and practices.
"Employers have been very, very enthusiastic about entry-level certification," Rosso noted. "They say they need this and are excited it's happening."
Some experience required
Whether a one-size-fits-all certification for cybersecurity newbies will work remains to be seen.
“Cybersecurity encompasses a huge subset of individual roles that can require vastly different skills," explained Chris Clements, vice president of solutions architecture at Cerberus Sentinel, a cybersecurity consulting and penetration testing company.
"While there are certainly some fundamentals of cybersecurity that generally apply across disciplines, to be truly effective requires domain-specific experience and expertise," he added.
"Another area that often gets overlooked when discussing cybersecurity is that it also requires a strong general IT knowledge base," he added. "A person who isn't passable at Windows systems administration is likely to be very limited in their ability to effectively secure it or attack it."
The way forward
All in all, this year's (ISC)² cybersecurity workforce report is illuminating in a number of ways. For example, adding 700,000 people to the workforce in the midst of a worldwide pandemic is impressive.
It also found that the talent gap continued to increase in all regions but Asia-Pacific.
"Fortunately, this year’s study participants have charted a course forward," the report said. "The cybersecurity workforce—the very people on the front lines defending our critical assets around the world—are telling us where talent is needed most; that old habits in hiring need to change; that technology spending alone won't fix our problems; that remote work is a greater opportunity than a threat; and that they expect meaningful diversity, equity, and inclusion (DEI) initiatives from their employers."
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.