Every cyber security executive knows—or should know—that the current demand for skills is much greater than the supply. But a recent study by (ISC)², an international non-profit membership association of certified cyber security professionals, indicates just how mammoth the talent shortage has become.
The organization’s findings show that the cyber security workforce needs to grow 145% in order to close the skills gap and better defend organizations worldwide against the array of threats.
The 2019 Cybersecurity Workforce Study estimates the current workforce at 2.8 million professionals worldwide, and says the number of additional trained staff needed to close the skills gap is 4.07 million professionals.
For perspective, that’s greater than the estimated populations of about half the states in the U.S. And speaking of the U.S., the skills gap there is actually better than the worldwide average. The current cyber security workforce is estimated at 804,700 and the shortage of skilled professionals is 498,480, according to the report. That requires an increase of just 62% to better defend U.S. organizations.
The study is based on an online survey of 3,237 individuals responsible for security or cyber security throughout North America, Europe, Latin America, and Asia-Pacific. The respondents were a mix of certified professionals in official cyber security roles, as well as IT professionals who spend a minimum of 25% of a typical work week handling cyber security-related responsibilities.
Unlike gap calculation models that subtract supply from demand, the study’s calculation takes other key factors into consideration, such as the percentage of organizations with open positions and the estimated growth of companies of different sizes.
The survey showed that nearly two thirds of the organizations surveyed (65%) report a shortage of cyber security staff. A lack of skilled and experienced cyber security personnel is the top job concern among respondents, cited by 36%.
Exactly two thirds of respondents reported that they are either somewhat satisfied (37%) or very satisfied (29%) in their jobs, and 65% intend to work in cyber security for their entire careers.
There’s been much discussion of promoting diversity in the cyber security workforce and encouraging young people to enter the field, to help ease the shortage. That includes attempts to get more women interested in cyber security, and the surveyed showed that 30% of the respondents are women, 23% of whom have security-specific job titles. Just under 37% of the respondents are age of 35 or younger.
Having an executive solely devoted to running the security program is more common at larger organizations than smaller ones. Just over 60% of large organizations (which the researchers classify as those with more than 500 employees) have a CISO. That number drops to 50% among smaller organizations.
Top recruiting sources outside of the core cyber security talent pool include new university graduates (28%), consultants and contractors (27%), other departments within an organization (26%), security/hardware vendors (25%), and career changers (24%).
Organizations are making attempts to generate skills in-house, with 48% saying their security training budgets will increase within the next year.
The average North American salary for cyber security professionals is $90,000. Those holding security certifications have an average salary of $93,000 while those without earn $76,500 on average, and 59% of cyber security professionals are currently pursuing a new security certification or plan to do so within the next year.
Interestingly, just 42% of the survey respondents indicates that they started their careers in cyber security. That means 58% moved into the field from other disciplines.
The (ISC)² report described four main strategies for organizations as they face a growing need to build the workforce and recruit new talent. These include:
- Highlighting training and professional development opportunities that contribute to career advancement.
- Properly setting levels on applicant qualifications to make sure the net is cast as wide as possible for undiscovered talent.
- Attracting new workers such as recent college graduates who have tangential degrees to cyber security, or hiring seasoned professionals such as consultants and contractors for full-time roles.
- Strengthening from within by further developing and cross-training existing IT professionals with transferable skills.
On a positive note, the study shows that cyber security and IT professionals are largely satisfied in their careers and optimistic about their futures.
“But the size of the current workforce still leaves a significant gap between the number of cyber security professionals working in the field and the number needed to keep organizations safe,” it says.