How to close the cybersecurity workforce gap

(ISC)² released the findings of its 2021 (ISC)² Cybersecurity Workforce Study. The study reveals updated figures for both the Cybersecurity Workforce Estimate and the Cybersecurity Workforce Gap in 2021, provides key insights into the makeup of the profession and explores the challenges and opportunities that exist for professionals and hiring organizations.

The study reveals a decrease in the global workforce shortage for the second consecutive year from 3.12 million down to 2.72 million cybersecurity professionals. There are two significant contributing factors to this year’s workforce gap estimate. The first is that 700,000 new entrants joined the field since 2020, contributing to a sharp increase in the available supply, now up to 4.19 million people.

The second is that the workforce gap for every region other than Asia-Pacific increased. Data suggests that slower economic recovery from the pandemic and its impact on small businesses and critical sectors like IT services (a major cybersecurity employer in the region) is contributing to the relative softness in demand for cybersecurity professionals compared to North America, Europe and Latin America. However, Asia-Pacific still has the largest regional workforce gap of 1.42 million.

Even with 700,000 new entrants, demand continues to outpace the supply of talent. The global cybersecurity workforce needs to grow 65% to effectively defend organizations’ critical assets.

“Any increase in the global supply of cybersecurity professionals is encouraging, but let’s be realistic about what we still need and the urgency of the task before us,” said Clar Rosso, CEO, (ISC)².

“The study tells us where talent is needed most and that traditional hiring practices are insufficient. We must put people before technology, invest in their development and embrace remote work as an opportunity. And perhaps most importantly, organizations must adopt meaningful diversity, equity and inclusion practices to meet employee expectations and close the gap.”

How organizations overcome their cybersecurity workforce gap

This year’s research provides fresh perspectives into how organizations are overcoming their own workforce gaps. Study participants shared their organizations’ planned talent and technology investments, including:

• More training (36%); providing more flexible working conditions (33%); and investing in diversity, equity and inclusion (DEI) initiatives (29%)
• Using cloud service providers (38%); deploying intelligence and automation for manual tasks (37%); and involving cybersecurity staff earlier in third-party relationships (32%)

The study uncovered the avoidable consequences that occur when cybersecurity staff is stretched too thin. Participants said they experienced misconfigured systems (32%); not enough time for proper risk assessment and management (30%); slowly patched critical systems (29%); and rushed deployments (27%).

Participants also offered opinions on what specialized skills and roles their teams lack, aligned with the roles outlined in the U.S. government’s National Initiative for Cybersecurity Education (NICE) Framework. They cited categories such as Securely Provision (48%); Analyze (47%); and Protect and Defend (47%) as the top areas of need, but the data also shows a strong need for help across all roles.

Lasting pandemic impact

The percentage of cybersecurity professionals working remotely in some capacity due to the pandemic remains unchanged at 85%; however, 37% report they must now come to the office at times compared to 31% in 2020.

In addition to the advantages of remote work as a public health measure, organizations cited improved workplace flexibility (53%); accelerated innovation and digital transformation efforts (37%); and stronger collaboration (34%) as some of the ways the pandemic has changed their organizations for the better.

Security challenges arising from remote workforces included rapid deployment of new collaboration tools (31%); lack of security awareness among remote workers (30%); and rising concern for the physical security of distributed assets (29%).

Additional findings

• Cybersecurity professionals have consistently expressed very high levels of job satisfaction over the last four years—a record 77% of respondents reported they are satisfied or extremely satisfied with their jobs.
• More cybersecurity professionals are getting their start outside of IT— 17% transitioned from unrelated career fields, 15% gained access through cybersecurity education and 15% explored cybersecurity concepts independently. Alternate points of entry are more common for women than men – only 38% of female participants started their careers in IT compared to 50% of male participants.
• The average salary of a cybersecurity professional before taxes is $90,900—up from $83,000 among respondents in 2020. Salaries of certified cybersecurity professionals are $33,000 higher than those with no certifications.
• Cloud computing security is once again the top priority for cybersecurity professionals’ skills development in the next two years.