Addressing the Cybersecurity Skills Shortage
In 2022, there were an estimated 4.7 million cybersecurity professionals in the workforce – an increase of 464,000 since 2021. This welcome growth suggests businesses are now taking online threats more seriously than ever.
But while the cybersecurity workforce is growing, it’s still a long way from where it should be. Skills shortages in cybersecurity are currently the highest on record. And demand for technology staff is projected to grow at twice the rate of demand for other jobs over the next ten years.
So what’s causing this global cybersecurity skills shortage — and how can you hire the cybersecurity personnel you need to protect your business from growing online threats?
Why is there a cybersecurity skills shortage?
As businesses shift to more technology-based working practices — such as remote work and cloud-based infrastructure — there’s far more opportunity for online exploitation. Businesses that operate primarily or exclusively online are at greater risk, so they must invest in enhanced online protection.
But organizations have traditionally been slow to implement cybersecurity measures. In fact, Hiscox data suggests that many businesses only take cybersecurity seriously after they’ve experienced an attack. 55% of cyberattack victims consider online security an area of high risk, compared with 36% of non-victims.
As more firms are affected by cyberattacks, they ramp up their cybersecurity efforts — leading to a surge in pressure on staff. Almost half of cybersecurity employees have considered quitting due to stress, or know someone who has left the industry for the same reason.
Many people are leaving the profession — but few are joining it. In the UK, students taking IT-related subjects at GCSE plummeted between 2015 and 2020, suggesting fewer students intend to work in tech-related fields. This leads to a smaller talent pool, reduced funding for technology courses, and even more pressure on existing cybersecurity staff.
The impact of age, wage, and location
Fortunately, it’s now common for young people to move into cybersecurity roles after working in other areas first. One survey found that just 38% of Gen Z and millennial cybersecurity workers started their careers in IT compared with 54% of those in older generations. So despite the low uptake in IT-related courses at school and college, many people may be enticed by the high salaries and work flexibility afforded by a cybersecurity career.
In general, cybersecurity workers are ’strongly compensated’ for their work. In 2021, the average annual salary was $90,900 — up from $83,000 the year before, and $69,000 in 2019. As demand continues to outpace supply, businesses will have to match these high salaries to hire and retain staff. But when you weigh up the potential cost of a breach or cybersecurity incident, investing in staff salaries and cybersecurity tech can ultimately save you money.
While the rise of remote work has increased online security risks for businesses, it’s also opened an opportunity for remote hiring. Workers no longer need to live near a tech hub or major city to work in technology and cybersecurity. Businesses can hire the best staff from far-reaching destinations to create a global workforce. Employees, meanwhile, can access career opportunities all over the world, creating a lifestyle that suits them.
This also extends to education. Remote study means more students can access training and develop cybersecurity skills no matter where they live, creating more cybersecurity experts to fill job vacancies.
Have mental health risks contributed to a cybersecurity skills shortage?
Another reason for the cybersecurity skills shortage is the stress associated with the profession. A huge 91% of cybersecurity professionals report feeling stressed in their role — and almost half of these said their work-related stress levels have increased over the last year. 45% have even considered quitting their jobs due to stress.
Cybersecurity staff report that the three most stressful factors of their work are:
- The impossibility of stopping every threat
- The expectation to be constantly on call
- Not having enough security operations staff.
The shift to remote work has also had a complex impact on staff mental health. Some researchers suggest remote working reduces stress, while others have found 29% of people feel that working from home is bad for their health and wellbeing.
Why must we address the cybersecurity skills shortage?
Cyberattacks now cost businesses more than $1 trillion every year — and all kinds of businesses are affected. Many hackers now target small and medium-sized businesses, who typically have less stringent cybersecurity measures in place. And while those that operate online have a larger attack surface, any company that uses email or hosts a website can be subject to online attacks, including:
- Ransomware
- Account takeover
- Phishing emails
- Distributed-denial-of-service
- Credential stuffing
- API abuse.
Cybercriminals become emboldened by successful offenses, which spurs them on to create bigger, better online attacks. Building a strong cybersecurity workforce is critical for mitigating these threats, minimizing damage, and reducing financial loss.
People are regularly cited as the single biggest security risk to businesses. So by integrating cybersecurity skills in workplace training for all — not just the experts — we can also reduce the threats posed by human error.
But mitigating security risks isn’t the only reason we must tackle the skills shortage. Clients are increasingly looking for digital supply chain contractors with strong cybersecurity credentials, so businesses need excellent cybersecurity staff and systems to stand out from the competition.
How to fill cybersecurity vacancies in your business
Take care of your staff
Staff retention is cheaper than hiring new employees. If you already have cybersecurity staff on your payroll, be aware of the high risk of burnout and stress experienced by people in these positions. They’re working hard to protect your company, so make sure they have the head space and support they need to work effectively.
At Netacea, for example, we have created our Mental Health Champions initiative. A Mental Health Champion at Netacea represents four key values:
- We are non-judgmental, here to listen and signpost to support our team members.
- We are transparent and open minded.
- We are confidential.
- We are on a mission to remove stigma, normalize talking about mental health, and seeking and/or receiving treatment.
The Mental Health Champions are visible people around Netacea, from various teams and various backgrounds, there to offer support to colleagues who may need a confidential ear. Trained in mental health awareness and first aid, the team is there to signpost support, whether that be internal or external.
Hire an apprentice
If you want to hire cybersecurity personnel but your budget won’t stretch to those high salaries, consider taking on an apprentice. In the UK, there are currently three cybersecurity apprenticeships:
- Level 3 Cyber Security Technician
- Level 4 Cyber Security Technologist
- Level 6 Cyber Security Technical Professional.
If you pay the apprenticeship levy (i.e., you have an annual pay bill of more than £3 million), your apprenticeship hiring costs may already be covered.
In the US, there are even more options. Use the National Initiative For Cybersecurity Education apprenticeship finder to see which programs are already out there.
Upskill existing staff
Many cybersecurity staff don’t start out in technical roles. If an existing staff member is interested in becoming a cybersecurity specialist, consider enrolling them on a cybersecurity training course. This could be an apprenticeship, degree program, or a certification such as CISSP (Certified Information Systems Security Professional).
Paying for staff training is great for staff morale and retention. But it’s also often cheaper than hiring externally, so it’s ideal for both employees and businesses.
Look for talent further afield
Create a global workforce to meet the demands of your business. If the cybersecurity skills shortages are particularly stark in your area, it may be time to seek out talent elsewhere. Remote work means you can find talented, experienced employees in other cities, rural communities, and even other countries.
Create a more inclusive workforce
The tech industry isn’t exactly known for its diversity. In the US, just 26% of technology employees are women, 8% are black or African American, and 8% are Hispanic or Latino. This can make people from underrepresented groups apprehensive about applying for tech roles, despite their talent, skills, and experience.
This gender gap starts at school. 62% of young men in the UK are interested in a career requiring advanced digital skills, versus just 42% of young women. Education providers must also take responsibility for this and encourage all enthusiastic students to pursue their interest in a tech-based career.
No matter which strategy you use, you should continually invest in training for your cybersecurity professionals so they’re prepared for new and upcoming threats.
Can AI reduce the pressure on our cybersecurity workforce?
Artificial intelligence is already helping businesses fight back against cyberattacks. Machines can detect online threats far more quickly and accurately than humans can — helping human experts make smarter decisions about how to manage and respond to cyberattacks. This minimizes burnout and stress among the workforce, while keeping businesses safe online.
AI won’t replace human cybersecurity experts — but it can definitely make their job easier. Learn more about the impact of AI on cybersecurity.