How close are we to addressing the most critical cybersecurity workforce issues? And how can leaders in security and human resources improve their ability to fill vacant jobs in cybersecurity? (ISC)2‘s latest “Cybersecurity Workforce Study” offers a clear picture of just how many jobs in cybersecurity are unfilled, how those vacancies can create ripple effects in the existing workforce and what strategies should be employed to close the gap.

The State of the Cybersecurity Workforce

If the topic of finding and retaining cybersecurity talent is a regular concern for your organization, you’re not alone. In the U.S., (ISC)2 estimated there are around 805,000 people employed in cybersecurity roles, with a backlog of nearly 500,000 unfilled positions. Globally, the gap is significant, with more than 4 million cybersecurity jobs going unfilled, which means the current global workforce of around 2.8 million people would almost need to double to account for all positions.

NIST’s own CyberSeek tool, a heat map that shows national and state-by-state job vacancies, presents slightly higher numbers for the U.S. According to NIST, there were over 504,300 job openings from October 2018 through September 2019, up from 313,000 job openings last year (Sept. 2017 to Sept. 2018). The NIST tool reports that there are nearly 1 million people working as cybersecurity professionals in the U.S. currently.

Unsurprisingly, most respondents in (ISC)2‘s study pointed to the lack of skilled, experienced cybersecurity staff as one of their top concerns. Gartner confirmed that in the last quarter of 2018, the talent shortage became the top risk. And this cybersecurity workforce gap isn’t just an issue for hiring managers and cybersecurity leaders — it has a direct effect on current cybersecurity professionals in the form of added stress and burnout.

The impact on work-life balance is an issue that is unlikely to be resolved unless organizations improve their ability to fill the multitude of open jobs in cybersecurity. How exactly can security leaders and HR departments do this? Here are a few strategies to consider.

Workforce Strategy 1: Take Care of Your Existing Employees

As the often cited, spot-on business quote goes, the CFO asks the CEO: “What happens if we invest in developing our people, and they leave us?” The CEO answers: “What happens if we don’t, and they stay?”

Your organization has already invested significantly in finding and onboarding your current employees, and the best way to leverage that investment of time, resources and money is to ensure that it delivers in the long term. The workforce study reported that only 65 percent of current cybersecurity professionals want to continue working in this field — will business leaders be content to let the other 35 percent simply evaporate from their organizations? Why are these employees considering leaving the field? Burnout and misalignment on job responsibilities are likely key factors in their thinking.

While 56 percent reported their day-to-day work matched their expectations, 28 percent reported that their current role was only “moderately close” to where they were expecting to be. Another 15 percent reported a strong misalignment between their job and their expectations. To help bring employee expectations into alignment with their responsibilities and ensure that their concerns are being handled properly, cybersecurity departments must ask:

  • How often are security managers and HR staff meeting with current security employees?
  • How are concerns being received? Do employees feel like they are being heard?
  • Are workers’ concerns being resolved sufficiently and in a timely fashion?

The report also pointed to the value of establishing clear career paths as a way of taking care of your workforce. Only half of the report’s respondents had a clear idea of their cybersecurity career path at their current organization. Leadership should work closely with HR to review roles and responsibilities regularly and communicate cybersecurity career path options clearly. If you wait until an employee signals they’re about to leave, it will likely be too late. Instead, organizations should leverage any opportunity to collect feedback about expectations and aspirations so management can support the career goals of their cybersecurity personnel.

Another way to demonstrate organizational support is to establish professional mentorship programs and renew your organization’s commitment to investing in ongoing training and professional development. Employees whose organizations paid for cybersecurity certifications displayed “significantly higher job satisfaction rates than their peers” who worked for employers who didn’t. A majority of security professionals (59 percent) are either already working on their next certification or planning to do so within a year. Let these employees know you fully support their efforts, and talk to the rest about developing their plans to pursue certifications or explore other avenues for professional development.

Workforce Strategy 2: They’re Already Working for You

You may find it effective to look within your own organization for potential sources of cybersecurity talent. If you are open to hiring for cybersecurity roles from within, are your current employees aware that you would consider them? Only 40 percent of people working in cybersecurity got there by pursuing a degree in traditional computer science or security, so there’s no reason to overlook prime candidates who could be part of the other 60 percent. Organizations likely can’t afford to overlook such candidates, as (ISC)2‘s research showed that two-thirds of businesses now prioritize promoting from within.

But where can you find those internal gems? The report suggested looking for people with a grasp of how data flows through your organization, people who are familiar with concepts like data privacy and data security, and people with backgrounds in compliance, quality control or law. On the technical side, look for “IT generalists” who are eager to continue learning and growing.

Positions in cybersecurity are plentiful, and their duties are constantly expanding, so be sure to showcase the various roles people can occupy in your organization regularly. Be sure to include both technology-facing cybersecurity roles and those which are more focused on people and business factors. The report also listed some hot areas of professional development to support, including:

  • Cloud computing
  • Governance, risk management and compliance (GRC), and risk assessment, analysis and management
  • Threat intelligence and analysis
  • Security engineering and administration

Workforce Strategy 3: Widen Your Aperture, Be Realistic

As the saying goes, the definition of insanity is doing the same thing repeatedly and expecting different results. There simply aren’t enough people graduating with four-year degrees in cybersecurity or closely related fields to meet current demands, let alone future forecasts.

But if a candidate has a security or networking certification, why not give them a go — or, at least, an interview? If that candidate has an aptitude for the work and a passion for continuous learning, they might be right for your business, regardless of the specifics of their background. Organizations can’t afford to wait for the perfect applicants. Instead, they must widen their workforce apertures and adjust their minimum qualifications to a realistic standard.

Another area where organizations need to accept the market reality is cybersecurity salaries. Applicants don’t take well to demands for certifications and a decade or two of experience when they’re being offered a salary that’s only a fraction of what the position is truly worth. Do your research and provide competitive salary offers so you don’t waste your own time and the time of your applicants. The result of wasted time could be a mad dash to hire consultants, which may leave you paying considerably more for cybersecurity services without the peace of mind that comes with investing in quality staff.

Yes, the state of the cybersecurity workforce leaves a lot to be desired — the number of job openings and unfilled positions is vast and measures in the tens or hundreds of thousands for most countries. However, this challenge can be addressed by building better pathways to jobs in cybersecurity, opening workforce input filters, highlighting opportunities for growth and education, and taking care of our existing security professionals.

More from CISO

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…

Laid Off by Big Tech? Cybersecurity is a Smart Career Move

Big technology companies are laying off staff as market conditions change. The move follows a hiring blitz initially triggered by the uptick in pandemic-powered remote work — according to Bloomberg, businesses are now cutting jobs at a rate approaching that of early 2020. For example, in November 2022 alone, companies laid off more than 52,000 workers. Companies like Amazon and Meta also plan to let more than 10,000 staff members go over the next few years. As noted by Stanford…