Introduction
The relationship between demand and supply and their price sensitivity, made famous by early thinkers and economists like Adam Smith and Alfred Marshall, among others of that era, applies as much to cybersecurity talent as to any other product or service. It is however relevant to start a discussion on the subject by looking at the unique situation of cybersecurity talent. A 2023 study shows that 1 million cyber professionals (4) are currently employed in the USA, with a further requirement of 500,000 more professionals. This means that for every one opportunity occupied, two more remain to be filled. On a global level, the problem is even more magnified – a World Economic Forum article (5) puts the supply gap at 4 million specialists.
Simply put, the demand for cyber professionals is far in excess of the talent that is available.
A unique demand-supply situation
Though by itself this is not overly alarming – other industries too have witnessed such trends – the following unique characteristics of the cybersecurity industry must be highlighted. Cyber professionals come with varying degrees of skills, competence, and experience which significantly impact both their demand and the fees they command. The more experienced among them, the industry leaders, however, are more likely to be snapped by the tech giants, like Microsoft, Apple, Google, Facebook, and others, leaving smaller businesses with little or no choice whatsoever as to whom to recruit.
The result is a skewed demand-supply situation where talent – short as it is to start out with – very often is simply not available to a major segment of organizations looking to recruit to address their cybersecurity needs.
What the numbers reveal
CEOs and CISOs worldwide are bemoaning this situation. Recruitment and retention of cybersecurity talent is no longer a crucial aspect of organizational success – it is one of the pillars of successful operations. The figures however are ominous. The World Economic Forum’s Report of 2024 (1) puts the figure of leaders who confirmed that they were missing the skills and people they needed to respond to a cyber incident in their organizations at 6% in 2022. One year later, in 2023, this figure had doubled to 12%. But the really compelling statistic comes from the awareness of the undesirable state many executives feel they are in – as many as 20% of respondents confidently responded that they simply lack the skilled personnel or the skill sets to achieve their cybersecurity objectives.
Why the shortage
Cybersecurity specialists more or less fall into these categories: Information security analyst, Cybersecurity consultant, Penetration tester, Security architect, and Network security engineer. However, the problem is not entirely one of numbers; a lack of critical technical and soft skill sets also plagues the industry. This is borne out by the recent study which showed that skill gaps are cited by 36% (1) of organizations as the main reason for them not being able to meet their cyber-resilience targets.
Other reasons include:
- A lop-sided belief of team members that cybersecurity is not their responsibility, coupled with a reluctance to enhance their cyber skills
- A relentless increase in the volume of cybersecurity challenges due to a constantly-evolving cybersecurity canvas
- Dearth of in-house skills and talent to achieve cyber goals
- Lack of an adequate budget to attract talent or compete with the tech giants’ recruitment plans
- Constrained internal budgets to undertake upskilling programs of in-house teams, despite a noted interest in employees in participating in knowledge enhancement programs
- A skewed cyber team diversity ratio which does not augur well for talent optimization
- Traditional approaches amongst management and HR teams mainly pertaining to an overemphasis on degrees and qualification
- Turnover of cybersecurity specialists due to high workloads, stress and fatigue (3), and dissatisfaction about excessive expectations of management teams
Addressing the shortage
Despite industry leaders pointing out the unhealthy position, little seems to have been achieved. If anything, the skills gap only seems to be increasing. Bridging this chasm is not something that can be achieved overnight, but a combination of some of these checkpoints could result in some progress.
- Introduce industry-level collaboration with academia, so knowledge is shared and a steady crop of job-ready talent is created
- Mandate public-private collaboration to ensure better results and solutions to stem the increase
- Identify talent in hitherto unexplored and unrepresented communities
- Accept that cyber skills are not always taught, rather as is often the case, learned hands-on
- Redesign external training programs to include short-term certifications rather than full-fledged courses that mandate full-time engagement
- Set up an elaborate in-house training program rather than opt for an over-reliance on external talent
- Review in-house training programs for relevant content. Include modern training methods like cyber range training and simulation
- Invest in automation to handle mundane and repetitive tasks and thereby ease the workload on cyber teams who can then focus on core tasks
- Ensure work-life balance is practiced with a view to reducing stress, fatigue, and turnover (2)
Conclusion
With the supply gap of specialists increasing, one would be forgiven for thinking that the writing is on the wall. The World Economic Forum predicts that at the rate at which technology is moving in comparison to the rate at which training is being rescaled, 44% of employees (1) will find their core skills severely disrupted by 2027. Cyber governance and culture, once keywords, are unlikely to impact the deficit significantly.
There is however some joy to be found as the thrust for organizational cyber resilience is gathering momentum. Many are advocating a comprehensive overhauling of upskilling systems, and tapping into new demographics and talent pools. Others are convinced that the creation of an ecosystem that sees active collaboration (5) of public and private enterprises and the administration may provide the best solution to the cybersecurity supply situation and the digital skill gap crisis.
References:
- pdf (weforum.org)
- Cybersecurity Talent Crisis Amid Shortages, Burnout, and CISO Resignations – Aurora Systems Consulting Inc. (aurorait.com)
- The Looming Threat of Fatigue, Stress and Burnout in Cybersecurity – Aurora Systems Consulting Inc. (aurorait.com)
- The Cyber Security Talent Shortage: Part I – The Law of Supply and Demand (bgsf.com)
- Closing cyber skills gap needs public-private collaboration | World Economic Forum (weforum.org)