February 17, 2021 By Mike Elgan 4 min read

Cybersecurity hiring is going through a weird phase. The pandemic, the remote work movement, budget changes and the rising aggression and refinement of cyber attacks are all major shifts. Through it all, and into the future, is a persistent cybersecurity skills gap. There simply aren’t enough experts in this field to go around. And while the shortage of these in-demand experts remains, the job description is changing, segmenting and expanding. 

What Happened in 2020? 

The year 2020 was a shock to the system. The pandemic triggered three effects that massively impacted this field.

1. Most employers sent workers home. Some 62% of employees started working from home, according to a study by the International Consortium of Minority Cybersecurity Professionals (ICMCP) and CyberVista.

This is no small change. Suddenly, a huge number of employees are working on consumer routers and over consumer broadband networks. They’re using home equipment, which means other family members and threat actors can gain physical or virtual access to the same devices used to access sensitive resources. The change happened suddenly, without major planning or testing. And the app stack changed, with video meetings going mainstream and business travel curtailed. Remote workers in the U.S. will likely continue to work from home into the future. 

2. There was a rapid change in revenue at most companies. Some businesses took big hits to revenue and a few soared as the result of increased demand. Mostly, the loss of revenue impacted hiring.

While the need is high, more than half (54%) of cybersecurity workers are concerned about the spending needed for hiring because of a loss of revenue resulting from the pandemic, according to the 2020 Cybersecurity Workforce Study from The International Information System Security Certification Consortium ((ISC)2). Despite revenue dropping at many companies, many experts expect budgets to increase. 

It’s very hard to predict how companies will fare over the coming years, and how the national fortune will go. This lack of certainty makes longer-term planning more challenging. 

3. Threat actors jumped into action. They can now exploit remote work networks. In addition, they can use fears around the pandemic as a subject for attacks. 

The Cybersecurity Skills Gap Needs to be Bridged

The gap between vacancies and candidates has also widened, according to the ICMCP study. Meanwhile, the (ISC)² study found that 56% of businesses say the cybersecurity talent shortage is putting them at risk. The gap isn’t evenly spread, according to the ICMCP report. Health care and financial services have the biggest number of openings since June 18, 2020, followed by information technology and services, retail and software. 

The talent shortage becomes clear for many groups each time they advertise a job opening. Some 86% of cybersecurity job openings attract fewer than 10 applicants, while jobs in other areas of the company often get hundreds. 

The (ISC)² study estimates the global cybersecurity workforce numbers more than 3.5 million people, an increase of 25% (around 700,000 workers) over the previous year. 

To fill the gap, cybersecurity hiring needs to increase by 89% worldwide and 41% in the United States. This enormous gap affects business across industries and sectors. 

Expand the Pool and Retain People

Adding to the challenge, businesses still face a huge diversity gap in the cybersecurity field, driving the need to hire more women and people from minority groups. One small bright spot is the chance to hire remote workers anywhere, rather than pulling from people who live within commuting distance of the office. 

The skills gap is not just about hiring and training, but also retaining talent. The ISACA report also found that 66% of respondents have a hard time retaining cybersecurity talent. Other companies tend to poach skilled workers. In addition, those workers often lack the chance for promotions and adequate pay, suffer from high stress and lack support from managers. 

What Do We Need in Cybersecurity Hiring Now? 

Employers need more cyber defense experts, and this is a well-known need. Nearly half (48%) intended to increase staff in 2020. And, in fact, cybersecurity hiring in the aerospace, defense and security industries had more than doubled in the last three quarters of 2020, according to GlobalData.

As the threat landscape grows more complex, the field has divided into niches more and more, each of which requires its own knowledge and hands-on work. While roughly 35 job types can be covered by the umbrella term ‘cybersecurity,’ they in fact often have little to do with each other in terms of knowledge. A security operations center analyst role is very different from a firewall engineer job, for example. 

ISACA’s 2020 State of Cybersecurity survey report found that 62% of respondents say their group’s digital defense team is understaffed and that 72% believe their human resources (HR) departments do not often understand their needs. 

Specialized Jobs Within Cybersecurity Recruitment 

Some of the most sought-after niches in 2021 and beyond will be in areas that are newer or, because of industry and usage trends mirrored by cybersecurity job trends, becoming more important. They include the following:

  • Internet of things (IoT) security
  • Mobile 
  • Artificial intelligence and machine learning
  • 5G cellular networks
  • Cloud 
  • Biometrics
  • Data intelligence
  • Investigation and incident response
  • Advanced encryption
  • Blockchain

There’s no reason to believe the skills gap can be closed by simply filling all positions with turnkey skilled people. Employers can’t just fill it with new recruits right out of school, either. Only 27% say that recent cybersecurity graduates are well-prepared, even more so in the areas of cybersecurity soft skills, IT knowledge, business insight, proven technical work and hands-on training. 

Most employers will need to cultivate their own talent. This will require creative thinking and a lot of training. One approach is cross-skilling, where the company trains and transitions existing employees in other roles. Another is to broaden entry level candidate pools outside of computer science. In fact, only around half (49%) of all current cybersecurity staff have a degree in computer or information sciences. Of the others, 20% have an engineering degree and 10% have a business degree. 

Next Steps in Cybersecurity Hiring

The way we talk about training needs to vastly improve. The security department needs to partner with HR to better convey needs and specifics. 

In other words, there are two surest ways to tackle the constant and growing skills gap. First, get better at hiring seasoned people. In addition, cultivate and retain home-grown talent from a wider range of backgrounds. 

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today