For cybersecurity professionals, 2023 was a mixed bag of opportunities and concerns. The good news is that the number of people in cybersecurity jobs has reached its highest number ever: 5.5 million, according to the 2023 ISC2 Global Workforce Study. However, the same study reported that there is still a serious shortfall. To best address threat landscape challenges, the workforce needs to grow at a rate of 12.6 percent a year. In the 2023 study, it only grew by 8.7 percent.
More troubling than the shortfall of approximately 4 million cybersecurity professionals is the slowdown in hiring and the rise of cutbacks. As the ISC2 study found, nearly half of those surveyed said their companies have dealt with layoffs, reduced budgets and/or hiring freezes — with more slowdown expected to come in 2024.
It’s quite a paradox. The need for a skilled cybersecurity workforce is greater than ever due to the rise in cyber threats, new attackers and attack vectors. Positions are available. Yet the looming threat of an economic downturn has made employers overly cautious about filling out their security team, and part of the reason could be because having a warm body in the position isn’t enough; potential employees don’t have the right skill sets to effectively guard against today’s biggest risks.
So, what are the demands on the cybersecurity workforce as we head into 2024? What skills are in demand and what are the obstacles that potential cyber professionals face?
What employees are looking for
A Google search of cybersecurity jobs came up with hundreds of hits. On the very first page, there were ads for a cybersecurity administrator, a cybersecurity analyst, a cyber intelligence analyst and a cybersecurity engineer.
Asking a generative AI tool for the top skills that employers are looking for in a cybersecurity workforce, the top results, which used information from job sites like Indeed, LinkedIn and Coursera, included:
- Scripting and programming languages
- Intrusion and threat prevention
- Risk identification and management
- Information security and assurance
- General security operations
- Threat analysis
- Communication and critical thinking skills.
These descriptions highlight one of the biggest issues cybersecurity professionals face when looking for new jobs or starting their careers. There are no standards for job titles, and the job requirements are fairly generic. Entry-level positions often require multiple years of experience along with certifications like CISSP, Security+ and CISA.
As government agencies, contractors and the military ramp up their cybersecurity defenses, one key requirement often stands in the way of hiring qualified applicants: security clearances.
“There are many cybersecurity jobs that need clearance, which means the main pipeline is from the military for these roles, often with no actual technical expertise,” Joseph Yang, Information Technology Administrator for Summit Public Schools, Redwood City, Calif., said in a LinkedIn message.
Getting security clearance is a complicated process that starts after the job offer is accepted. It can take upwards of a year or more for clearance to be approved, and there are disqualifiers for approval, like citizenship and poor credit scores.
Who needs cybersecurity professionals the most?
Every business, no matter the industry or the size, needs to think about cybersecurity. But some industries are more at risk than others. The industries that require strong cybersecurity policies and practices are finance, healthcare and energy. All three are highly regulated industries that must follow strict compliance guidelines to protect customer data. Healthcare and finance have long been popular for attackers because of the treasure trove of information and monetary benefits. Energy may seem like an outlier here, but the energy and utility infrastructure has become a target for ransomware attacks in recent years.
But as the threat landscape changes and new technologies boost new industries, risk levels are shifting toward different industries. According to Cyber Degrees, industries now in near critical need of cybersecurity are digital assets, e-sports and those developing AI technology. Those industries seeing an increase in risks include manufacturing, professional services and education.
Sometimes, your best cybersecurity employees have been inside the company all along. In fact, Robert Fitzgerald, Field CISO with Blue Mantis, recommended training new cybersecurity professionals. During a phone conversation, Fitzgerald pointed out that training someone specifically for your organization means you ensure you have a cyber professional who knows your organization’s security needs and they aren’t bringing in any bad habits from past jobs.
Upskilling is something large enterprises and government agencies have been doing for a while, as research finds that training employees for new tasks improves overall retention. SMBs that might already be using MSSPs for most of their cybersecurity needs can also take advantage of upskilling to ensure that they have some in-house experience, even to help other employees with security awareness training and improving overall cyber hygiene. Many cybersecurity vendors offer training programs specific to their products, while others offer vendor-neutral training that can build on skill sets. Organizations like the Cybersecurity and Infrastructure Security Agency (CISA) and ISC2 offer training options, as well.
Skills for the cyber workforce
There are some basic hard skills that every cybersecurity professional needs to know. Technical skills in operating systems, building infrastructure and databases, coding languages and understanding the fundamentals of computer networking are a must.
But cybersecurity is becoming more specialized. There is a greater need for those who understand cloud computing and the differences between cloud security and information security. AI is going to present new challenges in cybersecurity, so those who can implement AI as well as defend against new threats are required. Data analysts, white hat hackers for penetration testing and app development are also skills in increasing demand.
Organizations need cybersecurity professionals with experience with governance frameworks. Nearly every industry is now required to meet at least one government compliance standard, and new laws are being introduced each year. While a CompTIA study found that governance isn’t a high-ranking skill needed among its respondents, the changing nature of compliance means that companies will need someone with this skillset to build strategy and ensure security measures meet regulations to avoid penalties and hefty fines.
Don’t forget soft skills
Soft skills may be just as important as technical ones. Cybersecurity requires communication, so cybersecurity professionals need good verbal and written communication skills and the ability to work with people face-to-face. ISC2’s survey listed communication skills as the second most in demand, immediately behind cloud computing security. Good networking skills are vital. If interacting with the security team intimidates the rest of the organization’s employees, cybersecurity efforts will fail.
Be aware that skills do become dated and fall out of favor. The ISC2 report found that formal cybersecurity education is less in demand, especially advanced degrees and knowledge of advanced cybersecurity concepts. Hands-on experience is becoming more important.
The most important requirement for a career in cybersecurity is interest. Technology can be learned. Soft skills can be practiced. But no matter your background, if building knowledge around threat actor behaviors and putting together the strategy to protect data and networks is something that interests you, you’ve already taken the first step toward becoming a cybersecurity professional.