The Growing Cybersecurity Skills Gap: What's Causing It?

The technology sector is, in general, short of talented workers. But the problem is even more acute in the realm of cybersecurity. Companies and government organizations seem utterly unable to recruit the people they need to do vital security work. 

And that’s a problem. Organizations aren’t just facing threats from private hackers. They’re also under attack from state-sponsored groups with enormous funding, powerful equipment, and some of the finest minds.

Critically, the cybersecurity skills gap doesn’t appear to be closing. Even with eye-watering wages and all the job perks you can imagine, companies and public bodies are struggling to attract the talent they need. It simply doesn’t exist. 

Figuring out why this is happening is tricky. Usually, markets correct by raising the price of the item in short supply (in this case, cybersecurity experts). As the price rises, more suppliers enter the market, and, eventually, the cost starts to come down again. 

However, that hasn’t happened with cybersecurity. Despite high-profile companies offering huge starting salaries for many years, there’s still a tremendous shortage of people entering the industry. The labor market should have corrected itself, but it didn’t.

The skills gap is actually much bigger than most companies realize. In the U.S. alone, there are more than 700,000 cybersecurity positions available, while worldwide, that figure balloons to more than 3.5 million. 

The Impact Of The Cybersecurity Skills Gap Shortfall

The impact of the cybersecurity skills gap shortfall is tremendous. Even as salaries continue to rise, executives are unable to acquire the people they need to keep their networks and devices safe. 

According to some industry insiders, it’s a self-fulfilling problem because of the pressures that professionals face. If a company does manage to get its hands on a cybersecurity expert, they usually have to work without support. The risk of burnout increases and, eventually, they go looking for a better firm or quit working in the industry entirely. According to an ISSA study, cases of burnout among cybersecurity professionals are at an all-time high. The work demands they face are excessive.

The cost of the skills gap, though, is enormous. Government agencies, universities, and private organizations are putting their employees at risk. The threat of financial fraud, personal information theft, and privacy violations is higher than it has ever been. 

To solve this, economic actors need to understand what’s driving the skills shortage. Here are some of the top causes:

Demand Keeps Increasing

Image Credit: Pexels

The cybersecurity industry, a little bit like the AI industry, is experiencing accelerating demand for staff. As threats grow, more organizations are competing for workers. While the number of cyber professionals is growing, it is not keeping pace with open positions.

There is also the issue of complexity. Cybersecurity isn’t just one field. It is several sub-fields, and they continue to evolve over time as security risks change. 

No single person can be an expert in all areas, so there are bottlenecks in the industry. When hackers come up with a new way to threaten organizations, it requires professionals to respond with a different set of skills. It’s not always possible to predict what these skills will be, leading to further shortages. 

Organizations are also building this fact into their cybersecurity HR. Large firms know that a single cybersecurity expert probably isn’t sufficient to protect them. They need a range of people with different skills to cover their entire attack surface. And that’s driving demand for workers higher still. 

Companies Aren’t Leveraging The Experts They Already Have

In addition to this, companies are failing to leverage the experts that they already have. As The Smartest Person in the Room book points out, organizations need to move beyond just using cybersecurity professionals to “fix” problems. Deployment should be strategic, and designed to improve the degree of automated defenses a company can achieve. 

Failure to do this is making cybersecurity more labor-intensive than it needs to be. And, in turn, this is leading to greater demand for individual workers. 

Employers Are Demanding Too Much From Cybersecurity Experts

Part of the problem is self-imposed. Employers often prefer to hire no one at all than to take a chance on an underqualified candidate. Many insist that prospective cybersecurity employees have master’s degrees and decades of experience in the industry before they are willing to hire them. 

Of course, in a tight labor market, this is unrealistic. And, in many cases, unnecessary. Because threats are constantly evolving, experience isn’t particularly important in cybersecurity. What does matter, though, is a candidate’s ability to anticipate threats and respond to crises as they develop. 

Therefore, employers should consider modifying their approach. Instead of insisting on the perfect candidate to show up at their office one day, they should look to develop promising talent in-house at a lower cost. After all, having some cybersecurity coverage is better than none. 

Experts Are Leaving The Profession

As discussed above, experts are also leaving the profession. Surveys reveal endemic dissatisfaction with the work, with one in three employees considering changing profession entirely. 

The high rates of pay are also contributing to this effect. Workers only need to commit a few years to the industry to build up enough money to comfortably retire. There simply isn’t an incentive to continue grinding away for decades, as there was in the past. 

Employees Lack Relevant Skills

Lastly, employees are failing to keep their skills up to date. They’re experts in tackling the cyber threats of 2012, but they have no idea what to do in the face of 2022 threats. 

Because of this, productivity is low. Many professionals don’t know how to respond when attacks occur and need to read up on best practices. This takes time, slows their response, and means that firms have to hire more experts to get the same amount of work done. 

Ironically, professional courses are abundant online. Cybersecurity professionals can train themselves in practically any area. The problem is that employers don’t support them in this so their skills become outdated quickly. 

In summary, the cybersecurity skills gap is the result of a combination of factors. High demand, lack of expertise, and an unwillingness of organizations to train professionals are contributing to the shortage.

(Devdiscourse's journalists were not involved in the production of this article. The facts and opinions appearing in the article do not reflect the views of Devdiscourse and Devdiscourse does not claim any responsibility for the same.)