If you’ve been following reports and whispering with industry colleagues, you know what’s going on: the cybersecurity skills gap is difficult to close, and the Great Resignation is here. The 2021 (ISC)2 workforce study gives us a mixed picture of what to expect:

  • The Cybersecurity Workforce Estimate states there are 4.19 million cybersecurity workers worldwide, an increase of more than 700,000 from 2020. So far, good news.
  • The Cybersecurity Workforce Gap dropped from 3.12 million to 2.72 million. More good news.
  • Together, the industry requires a 65% increase in the global workforce to close the gap. Not good news.

A few more tidbits of interest:

  • Some regions are outpacing others at closing the gap. For example, Germany saw a 165% increase in its workforce compared to 30% in the United States.
  • Many cybersecurity workers, about 50%, started in IT and transitioned to security.
  • Job satisfaction trends (satisfied or extremely satisfied): 72% in 2018, 66% in 2019, 76% in 2020, and 77% in 2021.

The excellent visuals in this report allow you to breeze through findings if you are short on time. But take these findings with a grain of salt. As we’ll see below, gains can be wiped out easily and quickly.

How 2021 Added to the Great Resignation

Before 2021, the skills gap could be generally said to stem from growing threats, workforce/talent availability and worker burnout. But 2021 has turned the world a bit topsy-turvy. There are new factors that go beyond industry-specific challenges, including:

  • Remote work becoming a permanent state
  • Talent pool availability, based on geographic region, increasing
  • Job requisitions drawn up out of desperation and becoming a checkbox exercise or worse, drawing the wrong talent
  • Work-life and future in the industry
  • Socio-economic trends impacting salaries, morale and participation.

There is much more psychology to consider now than before, also. For example, are people more satisfied than in 2019 because they are happier with the industry or happy to have a job through the pandemic? The (ISC)2 study shares some great pandemic-specific facts, but the answer to this question still remains unclear.

But something certain is the Great Resignation is real. It is being led by Millennials and Generation Z, who are highly mobile in their professional lives and followed by Generation X, who have the tendency to be self-sufficient and work long hours but are less committed to specific employers.

This trend should worry employers, because not only do they face a retention problem, they face a current and future workforce problem. Flexibility and trust are going to be essential, even more so with so many jobs available. Generational attitudes do matter.

Let’s expand a little on these issues.

Remote Work and Talent Pool Availability

You should not view the COVID-19 pandemic as an activation of a business continuity plan. Employers should consider themselves lucky that they did not lose most of their workforce for any sustained amount of time. Also, be thankful for reliable internet connections and resilient infrastructure. Business processes transferred mostly seamlessly for the ‘laptop class’ of workers – the luckiest bunch over the last 20+ months. Remote connections have proven reliable, even if they come with new security concerns.

A side effect of this shift is proof that you don’t need to be spending time in an office and commuting. As a result, businesses could also start hiring outside of an office’s region.

Because of this proof, getting people back into an office will be hard. Demand too much and you may push out the limited talent on hand. Also, keep in mind, the Great Resignation is giving people second thoughts about their entire careers. Industry-wide demands could result in industry-wide losses.

How to Hire During the Great Resignation

HR departments need to work more closely with hiring managers to align expectations and retain staff.  Three-step guidance is useful here.

  • Step one: stop the checkbox exercise. There may be a passionate and capable worker out there, but if they are kept out because of certification, you could be missing out on a major asset. Listen to Dee Hock. As the founder of Visa, things worked out all right for him.
  • Step two: no bait and switches on job descriptions. With a lot of jobs out there, people can pick and choose. They won’t tolerate deception. If you hire a security developer but have them working incident response, you run the risk of stressing them out, setting them up for failure and turning them into a disgruntled employee. Play to their strengths before you end up with a bad return on investment.
  • Step three: build the farm team and give them a shot at the majors. If upper roles are being filled from external postings too often, employees will see the writing on the wall: no way to move upward.

It comes down to being flexible and gaining workers’ trust.

While this is not a cybersecurity industry-specific issue, it’s no secret that one of the best ways to get a salary and job title bump is to jump to another company. It’s on employers to do what they can to minimize that damage. Even the U.S. government is raising pay and cutting red tape to get more cybersecurity talent.

Managing External Forces

It would not be honest to discuss the Great Resignation and not bring up inflation and vaccine mandates. Inflation is real. The cost of living is shooting up, which will drive remote work demands.

Also, perception matters. If the organization is performing well, but employees are not getting a taste, they’ll walk. Emotions are in full play here. The ‘just happy to have a job’ feeling appears to be waning.

Vaccine mandates impact workforces: organizations could lose anywhere between 5% to 40% of their workforces. People walking out is real. Go back to the (ISC)2 Cybersecurity Workforce Estimate: there was about a 20% increase in talent from 2020 to 2021. Mandates could wipe out those gains in one shot and for good.

How Badly Do You Want Talent?

In closing, talent is available. However, a lot of forces are driving people to different places or may be shutting them entirely out of a market desperately in need. How organizations address these last drivers, especially the external ones, is entirely up to them. That makes 2021 the pivot year. The challenge employers face in 2022 demands that they ask themselves: how badly do they want that talent?

More from CISO

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read