It’s well known that the cybersecurity sector is struggling with an acute skills gap which is expected to become more pronounced over time.

Globally, the workforce stands at 5.5 million and has increased 8.7% over the course of the past year, according to the ISC2 Cybersecurity Workforce Study 2023, but the workforce gap grew faster, by 12.6% leaving a shortfall of almost 4 million.

It’s a complex problem because the gap itself can be broken down into two issues: workforce shortages and skills shortages. The two are distinctly different. Workforce shortages can be thought of as having sufficient personnel to people the security function and get the job done. Skills, on the other hand, refers to specific capabilities that the team then needs to have.

It’s perfectly possible to have a fully staffed team but still suffer from a skills shortage. In fact, the ISC2 report found that 59% of respondents said skills gaps can have a more detrimental effect than total worker shortages and 58% said they can mitigate the problem of worker shortages if they have an efficient distribution of skills across the team.

Given that the focus is likely to be on doing more with less as organisations struggle to deal with the economic downturn, it’s likely that the focus on those skillsets will become even more pressing. If the hiring manager can build out the team based on skills rather than headcount, this will be a more cost-effective strategy that also sees the team better resourced. So, hirers and candidates will now be looking at the skillsets they are lacking which are in high demand.

Top skillsets

The report claims that cloud security (32%) is the most in demand skillset followed by risk assessment, analysis and management (31%), security analysis (28%), and security engineering (28%). In contrast, ISACA’s The State of Cybersecurity 2023 report found the importance of cloud computing has gone down in terms of shortages currently being experienced within organisations, dropping four percentage points to 48% over the course of the past year. It dipped below identity and access management (IAM) which has pipped it at the post to take first place, with 49% regarding it as the most important skillset they need on staff today. In third place was data protection, down three percentage points to 44%, followed by data collection and correlation at 33%.

However, while ISACA’s report found technical non-supervisory roles were the hardest to fill, the biggest skills gap overall in today’s cybersecurity professional’s repertoire was soft skills (55%). This was followed by cloud computing (47%) and then security controls (endpoint/network/application) implementation (35%), potentially due to the demand for zero trust.

The top five most important soft skills that cybersecurity professionals should seek to equip themselves with were communication (58%), critical thinking (54%), problem solving (49%), teamwork (45%) and attention to detail (36%). But honesty came out surprisingly low at just 17%, which seems a worrying factor given that an effective security culture requires transparency and disclosure.

A lack of soft skills was also a top concern identified in the Cyber security skills in the UK labour market 2023 which found a third of businesses thought job applicants for cyber roles lacked communication, leadership, management, or sales and marketing skills. This marked move towards valuing soft skills could be indicative of the democratisation of cybersecurity within the business. As automation becomes more widespread, the remit of some cybersecurity professionals could become less technical and more strategic, elevating the need for these soft skills.

It’s worth noting here that the skills gaps also changed by demographic, with the ISACA report picking up that security controls were the top skills gap (61%) among those with less than three years’ experience, followed by soft skills (60%) and network-related topics such as architecture and components (47%), providing an indication of where new entrants should be upskilling.

Disruptive tech

But these are all well-established disciplines within cybersecurity. What of the technological disruptors? AI and machine learning are now widely used in tooling to help tailor solutions to their environment and we’ve seen Generative AI, for instance, take the business world by storm this year. So are cybersecurity professionals looking to upskill in these areas?

Interestingly, almost half (45%) view emerging technologies as a risk to the business, with blockchain, AI, VR, quantum computing, and intelligent automation set to overtake worker/skill shortages to become the biggest challenge faced by the industry. But it also appears organisations have been slow to anticipate the need for this type of knowledge. Among hiring managers, AI/ML is not currently a top requirement even though 28% of cybersecurity professionals did place it as a top five skill set. Having said that, 84% admitted they have no, minimal or only some moderate knowledge of AI/ML.

Given that AI/ML solutions have been with us for some time now, this begs the question whether the sector is failing to plan for and educate the workforce in up and coming disciplines. Failing to plan for training in these areas can then exacerbate skills shortages in the future, making it vital that organisations dedicate time and resource to the next technological wave so they don’t get caught out by future shortages.

Short term solutions

Current strategies to meeting today’s technical cybersecurity skills gap seem to be more reactive. The ISACA survey found the majority of organisations (45%) are cross-training employees, moving non-security staff into security roles. The next most popular solution was to outsource (38%) by using contractors or consultants external to the business, although this approach was down four percentage points compared to 2022. Similarly, the use of AI and automation to ease the gap was down six percentage points to 19%.

A fifth of organisations had embarked upon reskilling programs or performance-based training which suggests the onus is still very much on the individual to boost their skillsets. But tellingly, across the board, investment in addressing the skills gap either stayed the same or fell, revealing that this isn’t a high enough priority when it comes to budget spend.

What these results show is that there is a very real risk of cybersecurity professionals falling behind the curve when it comes to upskilling. Organisations are not being sufficiently proactive to identify the skills they lack or meet the demands of tomorrow, which means they will have to fight over and pay more for top talent. Where there is training available, it’s being focused on reskilling rather than upskilling the workforce. Indeed, the ISACA survey tracked a concerning trend, a decline in the reimbursement of tuition costs by employers, saddling cyber professionals with the cost of their education which could again slow the ability of the sector to meet future demand.

Addressing the workforce gap effectively will require organisations to identify the most critical skill sets and to apply targeted training. A failure to do so is likely to see attrition increase and competition intensify. And, while that might be good news for those cyber professionals who have the most desirable skillsets, the potential long term ramifications could be devastating, leading the sector to stall and businesses to become less equipped and more vulnerable.

Jamal Elmellas, Chief Operating Officer, Focus on Security
Chief Operating Officer at Focus on Security | + posts

Jamal Elmellas is Chief Operating Officer at Focus on Security, the cyber security recruitment agency, where he is responsible for delivering an effective and efficient selection and recruitment service. He has specific expertise in and is adept at designing and delivering secure, scalable and functional ICT services.

Prior to joining Focus on Security, Jamal built a successful Security consultancy and undertook the role of CTO. He was responsible for delivering secure ICT services for both government and private sectors. He has also fulfilled the role of Lead Security Architect and Assurance practitioner within sensitive government departments and blue organisations.

Jamal has almost 20 years’ experience in the field and is an ex CLAS consultant, Cisco and Checkpoint certified practitioner.