The information security profession was once a relatively small, close-knit community that lacked diversity and presented few opportunities to new professionals trying to enter the sector. Since then, there has been explosive growth within the sector as a result of a number of major, public security incidents.
In 2023, there is greater demand than ever before for highly trained and certified cyber security professionals; both as in-house experts to keep organisation’s secure and as professionals within cyber security firms. As a result, it is estimated that within the UK alone the information security market is expected to be worth in excess of £5bn over the next five years.
However, this growth in demand for cyber security talent brings with it its own set of problems. The first is the cyber security talent shortage. The 2022 (ISC)2 Cybersecurity Workforce Study found that an additional 3.4 million cyber security professionals are needed to match current levels of demand from around the world[1]. Given that the same report estimates there to be 4.7 million people working in cyber security globally, this is an enormous shortfall of professionals to fill these jobs.
Another major challenge for the cyber security market is the lack of diversity. A recent report published by the UK government found that women only make up 17% of the cyber workforce and only 14% of cyber leadership roles[2]. This is a slight reduction compared to the previous year, where 22% of cyber workforce was female. The same report also found that only 12% of the cyber workforce are neurodivergent and 7% are physically disabled.
With these challenges in mind, this blog will discuss potential ways of addressing the cyber security skills gap and what can be done to promote diversity within the sector. Fundamentally, it is clear that having a large recruitment budget is not the solution to building a skilled cyber security workforce or fostering diversity. Cyber security firms and organisations looking to expand their cyber teams so they can address threats to their business must take a more considered and deliberate approach to these problems.
For more on how diversity can help overcome the cyber skills gap and enhance the performance of cyber teams, see our 'Security and Sustainability Across CNI: 2023' report.
Causes of the Cyber Security Talent Gap
Outdated hiring practices are a key contributor to the cyber security talent gap. These practices have been spurred on by the traditional mindset that security professionals should need an ‘education’ or ‘experience’ (in a narrowly defined sense of the term). This has been a key constraint in enabling a skilled, diverse workforce as it imposes an arbitrary limit on who has historically been considered for cyber security roles.
To fill their positions, the industry has typically relied on technically skilled individuals with backgrounds in computing and IT that hold a multitude of industry certifications. This effectively created a ‘tick box’ culture within hiring practices whereby applicants that didn’t meet all of the technical requirements wouldn’t even make an application or, if they did, did not make it far within the interview process.
This approach disproportionately impacts minority groups, particularly those who do not identify as male. The language within the job descriptions used under this approach has a significant impact on the type of applicants that it attracts. For example, typical cyber role advertisements are proven to be more appealing to a male audience[3].
As a result of trends like these, there has been slower uptake in cyber roles among those who do not identify as male, with only 37.8% of UK respondents in Bridewell's security and sustainability research confirming that job descriptions have been reviewed and converted to a neutral tone and language. This perpetuates the cyber security talent gap further as opportunities have not historically been advertised in a manner that is accessible to the entirety of the eligible population.
The Cyber Skills Gap Causes Cyber Burnout
Another consequence of the cyber skills gap is how it impacts cyber security professionals currently working within the sector. With the demand for cyber services growing, the strain on existing staff is at an all-time high. An organisation with a significant shortage of cyber talent is likely to find their workloads unmanageable, which can make them more susceptible to cyber attacks. This is leading to an inevitable increase in burnout among professionals that are under-resourced for extended periods of time. Ultimately, prolong exposure to stressful working environments can lead to professions leaving the cyber security industry entirely.
Aside from the negative impact this has on individuals, cyber burnout is not sustainable for long-term growth of the industry. It reduces the number of available professionals and prevents knowledge transfer to newer recruits, who need the expertise and guidance of senior professionals to shape their own careers and lead cyber firms in the future. This trend is supported by data from our 2022 CNI research, which found that 4 in 10 cyber leaders in UK CNI say stress and burnout could push them to leave their job in the next year.
Beyond the impact on the cyber professionals themselves, it is also worth according to the same study by ISC(2) that a lack of qualified cyber resources has caused mass system vulnerabilities, lack of both risk and threat awareness and a definitive lack of proactive response mechanisms in the event of breaches or incidents-to name a few. Having the right technology and assets is not necessarily the answer to this issue (though it is often perceived to be). Whilst the implementation of new technologies enables better working practices and can reduce the requirement for hands on keyboards, there is still a distinct level of oversight required from qualified staff with the ability to ensure proper security function is maintained.
Solutions to the Cyber Skills Gap
Despite these problems, there is a way out of the skills gap, albeit one which will take significant commitment from organisations. The most impactful action that employers can take is developing their strategies around diversity and inclusion. Minority groups are often underrepresented amongst cyber security professionals despite representing a large pool of talent with unique skills and capabilities when compared to ‘typical’ practitioners. Initiatives that help organisations recruit from a more diverse range of people, provides the opportunity to overcome the cyber security skill shortage.
Women are also frequently underrepresented in the cyber industry – especially in leadership roles – yet contribute unique soft-skills and other benefits that can fundamentally improve cyber practices. By ensuring that the terminology used within job descriptions are neutral, avoiding terms such as ‘he will be’, more female candidates can feel incentivised to apply for cyber security roles. It’s a basic, yet impactful decision, that can help address the skills gap.
Another approach to addressing the cyber skills gap is expanding hiring criteria to encompass a wider range of entry routes to the cyber industry. This does not mean hiring staff that are completely unqualified but instead considering what can be taught and what cannot. For example, customer-facing attributes that build relationships and trust with clients cannot necessary be taught, but technical competency can. Moving away from the ‘tick box’ hiring method of a list of certifications ensures that we are more open to hiring those who possess the correct soft skills and developing their industry-specific knowledge over time.
We see this more frequently today than we have in the past, with more organisations offering cyber bootcamps, where the transferable skills are considered heavily in the initial interview and the technical skills taught as part of the hiring process.
There is also a requirement for companies to plan ahead with their existing resource to ensure that employees do not suffer significant burnout that leads to their departure from the industry. Providing existing employees with a range of opportunities in their workload can reduce the weight of a heavy workload and provide growth opportunities to avoid feeling stagnant and stunted within careers.
This approach needs to be integrated within long-term company strategies to create a more rewarding culture for cyber security professionals. Cyber companies which create a culture of transparency, where employees can express their concerns and feel supported prevents burn out, as issues can be mitigated at the earliest stage possible, rather than at the point in which employees no longer feel comfortable in their work environment.
References
[1] https://www.isc2.org/Research/Workforce-Study
[2] https://www.gov.uk/government/publications/cyber-security-skills-in-the-uk-labour-market-2023
[3] https://techpolicy.press/bias-in-cybersecurity-job-descriptions-hurts-diversity-in-the-field/