Cybersecurity hiring is going through a weird phase. The pandemic, the remote work movement, budget changes and the rising aggression and refinement of cyber attacks are all major shifts. Through it all, and into the future, is a persistent cybersecurity skills gap. There simply aren’t enough experts in this field to go around. And while the shortage of these in-demand experts remains, the job description is changing, segmenting and expanding. 

What Happened in 2020? 

The year 2020 was a shock to the system. The pandemic triggered three effects that massively impacted this field.

1. Most employers sent workers home. Some 62% of employees started working from home, according to a study by the International Consortium of Minority Cybersecurity Professionals (ICMCP) and CyberVista.

This is no small change. Suddenly, a huge number of employees are working on consumer routers and over consumer broadband networks. They’re using home equipment, which means other family members and threat actors can gain physical or virtual access to the same devices used to access sensitive resources. The change happened suddenly, without major planning or testing. And the app stack changed, with video meetings going mainstream and business travel curtailed. Remote workers in the U.S. will likely continue to work from home into the future. 

2. There was a rapid change in revenue at most companies. Some businesses took big hits to revenue and a few soared as the result of increased demand. Mostly, the loss of revenue impacted hiring.

While the need is high, more than half (54%) of cybersecurity workers are concerned about the spending needed for hiring because of a loss of revenue resulting from the pandemic, according to the 2020 Cybersecurity Workforce Study from The International Information System Security Certification Consortium ((ISC)2). Despite revenue dropping at many companies, many experts expect budgets to increase. 

It’s very hard to predict how companies will fare over the coming years, and how the national fortune will go. This lack of certainty makes longer-term planning more challenging. 

3. Threat actors jumped into action. They can now exploit remote work networks. In addition, they can use fears around the pandemic as a subject for attacks. 

The Cybersecurity Skills Gap Needs to be Bridged

The gap between vacancies and candidates has also widened, according to the ICMCP study. Meanwhile, the (ISC)² study found that 56% of businesses say the cybersecurity talent shortage is putting them at risk. The gap isn’t evenly spread, according to the ICMCP report. Health care and financial services have the biggest number of openings since June 18, 2020, followed by information technology and services, retail and software. 

The talent shortage becomes clear for many groups each time they advertise a job opening. Some 86% of cybersecurity job openings attract fewer than 10 applicants, while jobs in other areas of the company often get hundreds. 

The (ISC)² study estimates the global cybersecurity workforce numbers more than 3.5 million people, an increase of 25% (around 700,000 workers) over the previous year. 

To fill the gap, cybersecurity hiring needs to increase by 89% worldwide and 41% in the United States. This enormous gap affects business across industries and sectors. 

Expand the Pool and Retain People

Adding to the challenge, businesses still face a huge diversity gap in the cybersecurity field, driving the need to hire more women and people from minority groups. One small bright spot is the chance to hire remote workers anywhere, rather than pulling from people who live within commuting distance of the office. 

The skills gap is not just about hiring and training, but also retaining talent. The ISACA report also found that 66% of respondents have a hard time retaining cybersecurity talent. Other companies tend to poach skilled workers. In addition, those workers often lack the chance for promotions and adequate pay, suffer from high stress and lack support from managers. 

What Do We Need in Cybersecurity Hiring Now? 

Employers need more cyber defense experts, and this is a well-known need. Nearly half (48%) intended to increase staff in 2020. And, in fact, cybersecurity hiring in the aerospace, defense and security industries had more than doubled in the last three quarters of 2020, according to GlobalData.

As the threat landscape grows more complex, the field has divided into niches more and more, each of which requires its own knowledge and hands-on work. While roughly 35 job types can be covered by the umbrella term ‘cybersecurity,’ they in fact often have little to do with each other in terms of knowledge. A security operations center analyst role is very different from a firewall engineer job, for example. 

ISACA’s 2020 State of Cybersecurity survey report found that 62% of respondents say their group’s digital defense team is understaffed and that 72% believe their human resources (HR) departments do not often understand their needs. 

Specialized Jobs Within Cybersecurity Recruitment 

Some of the most sought-after niches in 2021 and beyond will be in areas that are newer or, because of industry and usage trends mirrored by cybersecurity job trends, becoming more important. They include the following:

  • Internet of things (IoT) security
  • Mobile 
  • Artificial intelligence and machine learning
  • 5G cellular networks
  • Cloud 
  • Biometrics
  • Data intelligence
  • Investigation and incident response
  • Advanced encryption
  • Blockchain

There’s no reason to believe the skills gap can be closed by simply filling all positions with turnkey skilled people. Employers can’t just fill it with new recruits right out of school, either. Only 27% say that recent cybersecurity graduates are well-prepared, even more so in the areas of cybersecurity soft skills, IT knowledge, business insight, proven technical work and hands-on training. 

Most employers will need to cultivate their own talent. This will require creative thinking and a lot of training. One approach is cross-skilling, where the company trains and transitions existing employees in other roles. Another is to broaden entry level candidate pools outside of computer science. In fact, only around half (49%) of all current cybersecurity staff have a degree in computer or information sciences. Of the others, 20% have an engineering degree and 10% have a business degree. 

Next Steps in Cybersecurity Hiring

The way we talk about training needs to vastly improve. The security department needs to partner with HR to better convey needs and specifics. 

In other words, there are two surest ways to tackle the constant and growing skills gap. First, get better at hiring seasoned people. In addition, cultivate and retain home-grown talent from a wider range of backgrounds. 

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…