February 17, 2021 By Mike Elgan 4 min read

Cybersecurity hiring is going through a weird phase. The pandemic, the remote work movement, budget changes and the rising aggression and refinement of cyber attacks are all major shifts. Through it all, and into the future, is a persistent cybersecurity skills gap. There simply aren’t enough experts in this field to go around. And while the shortage of these in-demand experts remains, the job description is changing, segmenting and expanding. 

What Happened in 2020? 

The year 2020 was a shock to the system. The pandemic triggered three effects that massively impacted this field.

1. Most employers sent workers home. Some 62% of employees started working from home, according to a study by the International Consortium of Minority Cybersecurity Professionals (ICMCP) and CyberVista.

This is no small change. Suddenly, a huge number of employees are working on consumer routers and over consumer broadband networks. They’re using home equipment, which means other family members and threat actors can gain physical or virtual access to the same devices used to access sensitive resources. The change happened suddenly, without major planning or testing. And the app stack changed, with video meetings going mainstream and business travel curtailed. Remote workers in the U.S. will likely continue to work from home into the future. 

2. There was a rapid change in revenue at most companies. Some businesses took big hits to revenue and a few soared as the result of increased demand. Mostly, the loss of revenue impacted hiring.

While the need is high, more than half (54%) of cybersecurity workers are concerned about the spending needed for hiring because of a loss of revenue resulting from the pandemic, according to the 2020 Cybersecurity Workforce Study from The International Information System Security Certification Consortium ((ISC)2). Despite revenue dropping at many companies, many experts expect budgets to increase. 

It’s very hard to predict how companies will fare over the coming years, and how the national fortune will go. This lack of certainty makes longer-term planning more challenging. 

3. Threat actors jumped into action. They can now exploit remote work networks. In addition, they can use fears around the pandemic as a subject for attacks. 

The Cybersecurity Skills Gap Needs to be Bridged

The gap between vacancies and candidates has also widened, according to the ICMCP study. Meanwhile, the (ISC)² study found that 56% of businesses say the cybersecurity talent shortage is putting them at risk. The gap isn’t evenly spread, according to the ICMCP report. Health care and financial services have the biggest number of openings since June 18, 2020, followed by information technology and services, retail and software. 

The talent shortage becomes clear for many groups each time they advertise a job opening. Some 86% of cybersecurity job openings attract fewer than 10 applicants, while jobs in other areas of the company often get hundreds. 

The (ISC)² study estimates the global cybersecurity workforce numbers more than 3.5 million people, an increase of 25% (around 700,000 workers) over the previous year. 

To fill the gap, cybersecurity hiring needs to increase by 89% worldwide and 41% in the United States. This enormous gap affects business across industries and sectors. 

Expand the Pool and Retain People

Adding to the challenge, businesses still face a huge diversity gap in the cybersecurity field, driving the need to hire more women and people from minority groups. One small bright spot is the chance to hire remote workers anywhere, rather than pulling from people who live within commuting distance of the office. 

The skills gap is not just about hiring and training, but also retaining talent. The ISACA report also found that 66% of respondents have a hard time retaining cybersecurity talent. Other companies tend to poach skilled workers. In addition, those workers often lack the chance for promotions and adequate pay, suffer from high stress and lack support from managers. 

What Do We Need in Cybersecurity Hiring Now? 

Employers need more cyber defense experts, and this is a well-known need. Nearly half (48%) intended to increase staff in 2020. And, in fact, cybersecurity hiring in the aerospace, defense and security industries had more than doubled in the last three quarters of 2020, according to GlobalData.

As the threat landscape grows more complex, the field has divided into niches more and more, each of which requires its own knowledge and hands-on work. While roughly 35 job types can be covered by the umbrella term ‘cybersecurity,’ they in fact often have little to do with each other in terms of knowledge. A security operations center analyst role is very different from a firewall engineer job, for example. 

ISACA’s 2020 State of Cybersecurity survey report found that 62% of respondents say their group’s digital defense team is understaffed and that 72% believe their human resources (HR) departments do not often understand their needs. 

Specialized Jobs Within Cybersecurity Recruitment 

Some of the most sought-after niches in 2021 and beyond will be in areas that are newer or, because of industry and usage trends mirrored by cybersecurity job trends, becoming more important. They include the following:

  • Internet of things (IoT) security
  • Mobile 
  • Artificial intelligence and machine learning
  • 5G cellular networks
  • Cloud 
  • Biometrics
  • Data intelligence
  • Investigation and incident response
  • Advanced encryption
  • Blockchain

There’s no reason to believe the skills gap can be closed by simply filling all positions with turnkey skilled people. Employers can’t just fill it with new recruits right out of school, either. Only 27% say that recent cybersecurity graduates are well-prepared, even more so in the areas of cybersecurity soft skills, IT knowledge, business insight, proven technical work and hands-on training. 

Most employers will need to cultivate their own talent. This will require creative thinking and a lot of training. One approach is cross-skilling, where the company trains and transitions existing employees in other roles. Another is to broaden entry level candidate pools outside of computer science. In fact, only around half (49%) of all current cybersecurity staff have a degree in computer or information sciences. Of the others, 20% have an engineering degree and 10% have a business degree. 

Next Steps in Cybersecurity Hiring

The way we talk about training needs to vastly improve. The security department needs to partner with HR to better convey needs and specifics. 

In other words, there are two surest ways to tackle the constant and growing skills gap. First, get better at hiring seasoned people. In addition, cultivate and retain home-grown talent from a wider range of backgrounds. 

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today