September 12, 2022 By Jennifer Gregory 2 min read

The skills gap in cybersecurity isn’t a new concern. But, new research revealed in Fortinet’s 2022 Cybersecurity Skills Gap report confirmed what many experts have assumed. The skills gap increased risk and was likely the direct cause of at least some breaches.

Data for the survey was collected from 1,223 IT decision-makers in countries across the globe. The majority of the respondents were C-level executives (34%) or directors (34%), with the remaining responses coming from a variety of positions, including owners, vice presidents and department heads.

Breaches due to skills gap

The most surprising finding: 80% of respondents had at least one breach marked down to the lack of cybersecurity skills or awareness. In addition, 64% of the surveyed companies lost revenue or paid fines as a result of the breaches.

Overall, 67% of respondents agreed that the shortage of qualified cybersecurity candidates increases the risk. However, the report found that the concern level wasn’t equal. Leaders from France (81%), North America (77%) and Hong Kong (77%) showed the highest level of concern and believe that skills shortages pose extra risks.

Skills gap leads to hiring and retention challenges

The skills gap showed up in both hiring and retaining talent, with 60% reporting that they struggle to recruit. Plus, 52% struggled to retain qualified workers. The most challenging positions to hire for due to the skills gap included cloud security (57%), security operations (50%) and network security (49%). Hiring new graduates showed the fewest problems, with only 24% struggling in this area.

However, the report also found some positives. Most notably, over the past three years, most (88%) of the surveyed organizations hired more female cybersecurity workers, and 67% hired more employees from minority groups. In addition, 53% sought out and hired more veterans.

Reducing the impact of the skills gap

The skills gap is a complex problem. It doesn’t have a solution that works across the board. Organizations and the industry can help, though.

  1. Consider remote work when hiring for positions. Organizations used to be limited to hiring employees living within commuting distance from the office. Most companies now have remote working processes and tools. Carefully consider whether each open position — especially those that need highly specialized skills — could be a remote position. By removing location restrictions, you can access a much larger number of candidates for each position.
  2. Carefully evaluate degree standards. Many cybersecurity positions do not require college degrees, but employers limit their candidates by requiring them. Consider how certifications and digital badges can show real-world skills. These are often a better measure of expertise than more general degree programs.
  3. Increase internships and apprenticeships. The key to reducing the skills gap starts with hiring more younger workers. Internships or apprenticeships create a funnel of qualified applicants.

The cybersecurity skills gap can have a big impact on an organization through breaches and fines. By knowing how it works, businesses can make reducing the skills gap and filling open positions a high priority. The cybersecurity skills gap isn’t just a human resource issue, it should be an organization-wide concern.

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today